mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-29 15:31:05 +08:00
b4c8711d51
## Summary Upgrade crawl4ai from 0.7.6 to 0.8.0 to fix CVE-2026-26217. ## Vulnerability | Field | Value | |-------|-------| | **ID** | CVE-2026-26217 | | **Severity** | CRITICAL | | **Scanner** | trivy | | **Rule** | `CVE-2026-26217` | | **File** | `uv.lock` | | **Assessment** | Likely exploitable | **Description**: Crawl4AI Has Local File Inclusion in Docker API via file:// URLs ## Evidence **Scanner confirmation**: trivy rule `CVE-2026-26217` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a web service - vulnerabilities in request handlers are directly exploitable by remote attackers. ## Changes - `pyproject.toml` - `uv.lock` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.* --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)*
9.8 KiB
9.8 KiB