If you discover a security vulnerability in crawl2kb, please do not open a public issue.
Instead, email security@danke.global with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
Security-relevant areas of crawl2kb include:
- SSRF protection — the egress policy that blocks requests to private IPs, cloud metadata endpoints, and localhost
- Sitemap fetching — redirect validation, hostname pinning, and recursion limits
- Input validation — URL parsing, scheme restrictions, credential rejection
- Transport security — TLS version enforcement
| Version | Supported |
|---|---|
| latest | Yes |
crawl2kb is designed to fetch content from arbitrary user-supplied URLs. The security model assumes:
- The target URL is untrusted
- Sitemap contents are untrusted (hostile sitemap index entries, redirect chains)
- DNS responses are untrusted (DNS rebinding is mitigated by IP validation)
- The crawled HTML content is untrusted (no code execution, extraction only)