GHSA-qxjp-w3pj-48m7CriticalCVSS 9.8
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
🔗 CVE IDs covered (1)
📋 Description
Summary
The _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.
The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema.
Attack Vector
An attacker sends a POST /crawl request with a JsonCssExtractionStrategy schema containing a malicious computed field expression that:
- Creates a generator to access
gi_frame - Walks the frame chain via
f_back - Reaches
f_builtinscontaining the real__import__ - Imports
osand executes arbitrary commands
Impact
Unauthenticated remote code execution inside the Docker container. An attacker can execute arbitrary system commands, read/write files, and exfiltrate secrets.
Fix Details
- Removed
eval()from computed field expression path entirely -- expressions now log a warning and return default value - Deleted
_safe_eval_expression()function and_SAFE_EVAL_BUILTINS(dead security-sensitive code) functionkey with Python callables still works for SDK users- Replaced
eval()in/config/dumpwith JSON-based input validated by Pydantic - Fixed hook_manager sandbox: stripped
__builtins__,__loader__,__spec__from injected modules; removedgetattr,setattr,type,__build_class__from allowed builtins
Workarounds
- Upgrade to the patched version (recommended)
- Enable JWT authentication via
CRAWL4AI_API_TOKENenvironment variable - Restrict network access to the Docker API
Credits
🎯 Affected products1
- pip/crawl4ai:<= 0.8.6