Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.
The /crawl endpoint accepts a hooks parameter containing Python code, which is then executed using the exec() function. Among the allowed built-in functions (builtins) was __import__, which enabled dynamic importing of arbitrary Python modules. This allowed an unauthenticated attacker to import system modules (e.g., os, subprocess) and execute arbitrary commands on the server using them. The attack requires no authentication or user interaction.
Successful exploitation allows an attacker to achieve complete server takeover, including arbitrary system command execution, file read and write operations, sensitive data exfiltration, and lateral movement within internal networks.
Crawl4AI should be updated to version 0.8.0 or newer, in which the vulnerability has been removed. Details regarding the fix are available in the v0.8.0 release notes and in the security advisory GHSA-5882-5rx9-xgxp on GitHub. Until the patch is deployed, consider disabling public access to the /crawl endpoint or implementing firewall rules that restrict access only to trusted IP addresses.
Kidocode Crawl4AI in versions earlier than 0.8.0, deployed via Docker API
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XKidocode Crawl4ai
APPKidocode< 0.8.0
Related vulnerabilities
RCE w Crawl4AI — ucieczka z sandbox poprzez atrybuty generatorów Python
Crawl4AI: zapis dowolnych plików poza katalogiem przez path traversal i TOCTOU
SSRF w Crawl4AI — ominięcie blokady adresów wewnętrznych przez IPv6-mapped IPv4
Obejście uwierzytelnienia w Crawl4AI przez zakodowany klucz JWT
Path Traversal w Crawl4AI — odczyt dowolnych plików przez file:// URL