mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-07-08 04:22:20 +08:00
## Summary Upgrade crawl4ai from 0.8.9 to 0.9.0 to fix GHSA-r253-r9jw-qg44. ## Vulnerability | Field | Value | |-------|-------| | **ID** | GHSA-r253-r9jw-qg44 | | **Severity** | CRITICAL | | **Scanner** | trivy | | **Rule** | `GHSA-r253-r9jw-qg44` | | **File** | `uv.lock` | | **Assessment** | Likely exploitable | **Description**: Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args ## Evidence **Scanner confirmation**: trivy rule `GHSA-r253-r9jw-qg44` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a web service - vulnerabilities in request handlers are directly exploitable by remote attackers. ## Changes - `pyproject.toml` - `uv.lock` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.* --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* Co-authored-by: Ling Qin <qinling0210@163.com>