Server side template injection In crawl4ai
Description
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter
A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands.
Attack Vector:
POST /crawl { "urls": ["https://example.com"], "hooks": { "code": { "on_page_context_created": "async def hook(page, context, **kwargs):\n __import__('os').system('malicious_command')\n return page" } }...
Impact
An unauthenticated attacker can:
Execute arbitrary system commands
Read/write files on the server
Exfiltrate sensitive data (environment variables, API keys)
Pivot to internal network services
Completely compromise the server
Mitigation
Upgrade to v0.8.0 (recommended)
If unable to upgrade immediately:
Disable the Docker API
Block /crawl endpoint at network level
Add authentication to the API
Fix Details
Removed __import__ from allowed_builtins in hook_manager.py
Hooks disabled by default (CRAWL4AI_HOOKS_ENABLED=false)
Users must explicitly opt-in to enable hooks
Credits
Discovered by Neo by ProjectDiscovery (https://projectdiscovery.io)
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pip | crawl4ai | 0.8.0 |
Aliases
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.