PT-2026-4847 · Pypi · Crawl4Ai

Published

2026-01-16

·

Updated

2026-01-16

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The import builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands.
Attack Vector:
json
POST /crawl
{
 "urls": ["https://example.com"],
 "hooks": {
  "code": {
   "on page context created": "async def hook(page, context, **kwargs):
   import ('os').system('malicious command')
  return page"
  }
 }
}

Impact

An unauthenticated attacker can:
  • Execute arbitrary system commands
  • Read/write files on the server
  • Exfiltrate sensitive data (environment variables, API keys)
  • Pivot to internal network services
  • Completely compromise the server

Mitigation

  1. Upgrade to v0.8.0 (recommended)
  2. If unable to upgrade immediately:
  • Disable the Docker API
  • Block /crawl endpoint at network level
  • Add authentication to the API

Fix Details

  1. Removed import from allowed builtins in hook manager.py
  2. Hooks disabled by default (CRAWL4AI HOOKS ENABLED=false)
  3. Users must explicitly opt-in to enable hooks

Credits

Discovered by Neo by ProjectDiscovery (https://projectdiscovery.io)

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

GHSA-5882-5RX9-XGXP

Affected Products

Crawl4Ai