VDB
KO
CRITICAL 9.8

GHSA-qxjp-w3pj-48m7

Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

Details

### Summary

The `_safe_eval_expression()` function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (`gi_frame`, `f_back`, `f_builtins`) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.

The attack requires no authentication (JWT disabled by default) and is triggered via `POST /crawl` with a crafted extraction schema.

### Attack Vector

An attacker sends a `POST /crawl` request with a `JsonCssExtractionStrategy` schema containing a malicious computed field expression that: 1. Creates a generator to access `gi_frame` 2. Walks the frame chain via `f_back` 3. Reaches `f_builtins` containing the real `__import__` 4. Imports `os` and executes arbitrary commands

### Impact

Unauthenticated remote code execution inside the Docker container. An attacker can execute arbitrary system commands, read/write files, and exfiltrate secrets.

### Fix Details

1. Removed `eval()` from computed field expression path entirely -- expressions now log a warning and return default value 2. Deleted `_safe_eval_expression()` function and `_SAFE_EVAL_BUILTINS` (dead security-sensitive code) 3. `function` key with Python callables still works for SDK users 4. Replaced `eval()` in `/config/dump` with JSON-based input validated by Pydantic 5. Fixed hook_manager sandbox: stripped `__builtins__`, `__loader__`, `__spec__` from injected modules; removed `getattr`, `setattr`, `type`, `__build_class__` from allowed builtins

### Workarounds

1. Upgrade to the patched version (recommended) 2. Enable JWT authentication via `CRAWL4AI_API_TOKEN` environment variable 3. Restrict network access to the Docker API

### Credits

- Song Binglin ([q1uf3ng](https://github.com/q1uf3ng)) - reported the AST sandbox escape - by111 ([August829](https://github.com/August829)) - reported the hook sandbox `__builtins__` escape and hardcoded JWT secret bypass - [jannahopp](https://github.com/jannahopp) - PR #1855 proposing eval removal - [ntohidi](https://github.com/ntohidi) - PR #1886 proposing allowlist approach

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / crawl4ai
Introduced in: 0 Fixed in: 0.8.7
Fix pip install --upgrade 'crawl4ai>=0.8.7'

References