CVE-2025-57818
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-08-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| firecrawl | firecrawl | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a server-side request forgery (SSRF) in Firecrawl's webhook functionality prior to version 2.0.1. Authenticated users could configure a webhook to send POST requests with arbitrary headers to internal URLs, potentially allowing access to internal systems that should not be exposed.
How can this vulnerability impact me? :
The vulnerability could allow an authenticated user to access internal systems by sending crafted requests through the webhook, potentially leading to unauthorized access, data exposure, or manipulation of internal resources.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Firecrawl to version 2.0.1 or later. If upgrading is not possible, isolate Firecrawl from any sensitive internal systems to prevent potential access via the SSRF vulnerability.