CVE-2025-57818

Firecrawl SSRF Vulnerability via malicious webhook

Description

Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery (SSRF) vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with arbitrary headers, which may have allowed access to internal systems. This has been fixed in version 2.0.1. If upgrading is not possible, it is recommend to isolate Firecrawl from any sensitive internal systems.

Category

6.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Affected: firecrawl firecrawl
Published at:
Updated at:

References

Link Tags
https://github.com/firecrawl/firecrawl/security/advisories/GHSA-p2wg-prhf-jx79
https://github.com/firecrawl/firecrawl/commit/b15fae51a760e9810a66bbfde5d5693d0df3fbeb
https://github.com/firecrawl/firecrawl/commit/e8cf0985b07968061a6b684b58097732e827ed46
https://github.com/firecrawl/firecrawl/releases/tag/v2.0.1

Frequently Asked Questions

What is the severity of CVE-2025-57818?
CVE-2025-57818 has been scored as a medium severity vulnerability.
How to fix CVE-2025-57818?
To fix CVE-2025-57818, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-57818 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-57818 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-57818?
CVE-2025-57818 affects firecrawl firecrawl.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.