CVE-2025-57818 MEDIUM

CVE-2025-57818: Firecrawl SSRF Vulnerability via malicious webhook

Vendor Firecrawl
Product firecrawl
Weakness CWE-918 · SSRF
Published August 26, 2025
Last update August 26, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery (SSRF) vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with arbitrary headers, which may have allowed access to internal systems. This has been fixed in version 2.0.1. If upgrading is not possible, it is recommend to isolate Firecrawl from any sensitive internal systems.

Key dates

02Disclosure timeline

August 26, 2025 CVE published
August 26, 2025 Record updated