Platform
other
Component
firecrawl
Fixed in
2.8.1
CVE-2026-32857 describes a server-side request forgery (SSRF) vulnerability discovered in Firecrawl, a Playwright scraping service. This flaw allows attackers to bypass network policy validation, potentially granting access to internal network services and sensitive endpoints. The vulnerability affects versions 0 through 2.8.0 of Firecrawl. A fix is expected in a future release.
The SSRF vulnerability in Firecrawl arises from insufficient validation of redirect destinations. An attacker can craft a malicious URL that initially passes validation but redirects to an internal resource. Because the validation only occurs on the initial URL, the browser will follow the redirect without further checks, effectively bypassing the intended security controls. This allows attackers to access internal APIs, databases, or other sensitive services that are not directly exposed to the internet. The potential blast radius is significant, as an attacker could leverage this vulnerability to map the internal network, steal credentials, or even execute arbitrary code depending on the exposed services.
The vulnerability was publicly disclosed on March 26, 2026. Exploitation probability is currently assessed as medium, given the relatively straightforward nature of SSRF exploitation and the potential for automated scanning. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's characteristics suggest that such exploits are likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
While a patched version of Firecrawl is the ultimate solution, several mitigation strategies can be implemented in the interim. First, implement strict URL validation and redirect filtering at the proxy or WAF level. This should include checking the destination URL after any redirects occur. Second, consider disabling redirects altogether if they are not essential for the application's functionality. Third, implement network segmentation to limit the potential impact of a successful SSRF attack. Finally, monitor network traffic for suspicious outbound requests originating from the Firecrawl service. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Update Firecrawl to a version later than 2.8.0. This will fix the SSRF vulnerability by correctly validating HTTP redirects.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32857 is a server-side request forgery vulnerability in Firecrawl versions 0-2.8.0, allowing attackers to bypass network policy validation and access internal resources.
If you are using Firecrawl version 0 through 2.8.0, you are potentially affected by this SSRF vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of Firecrawl. Until a patch is available, implement mitigation strategies like strict URL validation and redirect filtering.
While no public exploits have been released, the vulnerability's characteristics suggest it is likely to be targeted. Monitor your systems for suspicious activity.
Refer to the official Firecrawl security advisories on their website or GitHub repository for updates and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.