CVE-2025-28197: 
Python vulnerability analysis and mitigation

Crawl4AI version 0.4.247 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in the /crawl4ai/async_dispatcher.py component. The vulnerability was discovered and disclosed in April 2025, with the CVE identifier CVE-2025-28197. The CVSS v3.1 base score for this vulnerability is 9.1 (Critical), indicating a severe security risk (CISA-ADP).

The vulnerability exists in the async_dispatcher.py file within the Crawl4AI application. It has been classified as a Server-Side Request Forgery (SSRF) vulnerability with a CWE-918 classification. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality and integrity (CISA-ADP).

The vulnerability allows remote attackers to potentially execute server-side requests to internal or external systems through the affected component. With a Critical CVSS score of 9.1, the vulnerability poses significant risks to both confidentiality and integrity of the affected systems, though availability is not impacted (CISA-ADP).

Users and administrators of affected Crawl4AI installations should upgrade to a version newer than 0.4.247 as soon as possible. Until the upgrade can be completed, it is recommended to implement network-level controls to restrict unauthorized outbound requests from the affected component (CISA-ADP).