Firecrawl Playwright Service Server-Side Request Forgery Protection Bypass Vulnerability

A server-side request forgery (SSRF) protection bypass vulnerability has been identified in Firecrawl versions through 2.8.0, specifically within the Playwright scraping service. This vulnerability arises because network policy validation is only applied to the initial user-supplied URL, allowing attackers to exploit HTTP redirects to access internal or restricted resources. By sending a valid external URL that redirects to a sensitive endpoint, the browser can fetch the final destination without revalidation, potentially exposing internal network services. This issue is distinct from general redirect-based SSRF vulnerabilities, as it specifically involves a gap in post-redirect validation of SSRF protections.

Impact

Exploitation of this vulnerability allows unauthorized access to internal network services and sensitive endpoints by bypassing SSRF protections through manipulated HTTP redirects.

Remediation

Users of the open-source version of Firecrawl should update to version 1.1.1 and supply the Playwright services with a secure proxy that blocks traffic to link-local IP addresses. For those using the hosted version, no action is needed as the vulnerability has already been patched.