docs/blog/release-v0.8.9.md
June 2026 - 2 min read
I'm releasing Crawl4AI v0.8.9, a follow-up security patch for the self-hosted Docker API server. It closes a server-side request forgery path that v0.8.8 did not cover. It is backward compatible: upgrade in place, no configuration changes required.
If you run the Docker server, please upgrade. If it is exposed to a network, also set CRAWL4AI_API_TOKEN. A security advisory accompanies this release.
The SSRF destination check validated the crawl target URL, but not the proxy address. An unauthenticated /crawl, /crawl/stream, or /crawl/job request could point a proxy at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, even with a perfectly valid crawl URL.
v0.8.9 validates every proxy destination with the same global-routability check before the browser is built:
browser_config.proxy_config.serverbrowser_config.proxy (deprecated field)crawler_config.proxy_config.serverextra_args (--proxy-server, --host-resolver-rules, --proxy-bypass-list, --proxy-pac-url) are strippedA legitimate public proxy still works. The only behavior change: set proxies through proxy_config (which is validated) rather than raw extra_args flags.
pip install -U crawl4ai
docker pull unclecode/crawl4ai:0.8.9
The next release remains a larger, secure-by-default update for the Docker API server, with intentional breaking changes (authentication on by default, stricter request validation, safer deployment defaults). A full migration guide will accompany the pre-announcement on Discord and X. This proxy fix is already part of that release; 0.8.9 simply brings it forward because it is an unauthenticated SSRF.
Thanks to Geo for the responsible disclosure.
Live long and import crawl4ai