Files
ragflow/agent/tools
OrbisAI Security 82f3735770 fix: upgrade crawl4ai to 0.9.0 (GHSA-r253-r9jw-qg44) (#16426)
## Summary
Upgrade crawl4ai from 0.8.9 to 0.9.0 to fix GHSA-r253-r9jw-qg44.

## Vulnerability
| Field | Value |
|-------|-------|
| **ID** | GHSA-r253-r9jw-qg44 |
| **Severity** | CRITICAL |
| **Scanner** | trivy |
| **Rule** | `GHSA-r253-r9jw-qg44` |
| **File** | `uv.lock` |
| **Assessment** | Likely exploitable |

**Description**: Crawl4AI: Unauthenticated RCE via Chromium
launch-argument injection in browser_config.extra_args

## Evidence

**Scanner confirmation**: trivy rule `GHSA-r253-r9jw-qg44` flagged this
pattern.

**Production code**: This file is in the production codebase, not
test-only code.

## Threat Model Context

This is a web service - vulnerabilities in request handlers are directly
exploitable by remote attackers.

## Changes
- `pyproject.toml`
- `uv.lock`

## Verification
- [x] Build passes
- [x] Scanner re-scan confirms fix
- [x] LLM code review passed

---
*This change addresses a pattern flagged by static analysis. The code
path handles user-influenced input and the fix reduces the attack
surface against both manual and automated exploitation.*

---
*Automated security fix by [OrbisAI Security](https://orbisappsec.com)*

Co-authored-by: Ling Qin <qinling0210@163.com>
2026-07-06 21:28:19 +08:00
..