PT-2026-53176 · Pypi · Crawl4Ai

Publicado

2026-06-18

·

Atualizado

2026-06-18

CVSS v3.1

9.6

Crítica

VetorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. /etc/cron.d/evil) or ../ traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, ~/.ssh/authorized keys, a cron entry, or a Python module on the import path).

Affected paths

Two download sinks in crawl4ai/async crawler strategy.py:
  • HTTP crawler (AsyncHTTPCrawlerStrategy): the filename is parsed from the response Content-Disposition header by extract filename() and written via aiofiles.open(filepath, 'wb'). Reachable directly via the SDK, and via the unauthenticated Docker /crawl endpoint when an HTTPCrawlerConfig is supplied.
  • Browser crawler (AsyncPlaywrightCrawlerStrategy): the download's suggested filename (controllable by the visited page) is joined to downloads path and written via download.save as().
The HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.

Impact

Arbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.

Fix

Both sinks now resolve the destination through a single hardened helper ( safe download filepath) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and .. components) and re-checks, via realpath, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.

Workarounds

  • Upgrade to the patched version (0.9.0).
  • Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.
  • Enable authentication (CRAWL4AI API TOKEN) on the Docker server.

Credits

Y4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.

Correção

Link Following

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-2JQ4-Q6VV-4CP3

Produtos afetados

Crawl4Ai