PT-2026-53176 · Pypi · Crawl4Ai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Summary
When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g.
/etc/cron.d/evil) or ../ traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, ~/.ssh/authorized keys, a cron entry, or a Python module on the import path).Affected paths
Two download sinks in
crawl4ai/async crawler strategy.py:- HTTP crawler (
AsyncHTTPCrawlerStrategy): the filename is parsed from the responseContent-Dispositionheader byextract filename()and written viaaiofiles.open(filepath, 'wb'). Reachable directly via the SDK, and via the unauthenticated Docker/crawlendpoint when anHTTPCrawlerConfigis supplied. - Browser crawler (
AsyncPlaywrightCrawlerStrategy): the download'ssuggested filename(controllable by the visited page) is joined todownloads pathand written viadownload.save as().
The HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.
Impact
Arbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.
Fix
Both sinks now resolve the destination through a single hardened helper (
safe download filepath) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and .. components) and re-checks, via realpath, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.Workarounds
- Upgrade to the patched version (0.9.0).
- Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.
- Enable authentication (
CRAWL4AI API TOKEN) on the Docker server.
Credits
Y4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.
Fix
Link Following
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Crawl4Ai