ayrisdev/crawl4ai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix critical RCE via deserialization and eval() in /crawl endpoint

Browse Source 
- Replace raw eval() in _compute_field() with AST-validated
  _safe_eval_expression() that blocks __import__, dunder attribute
  access, and import statements while preserving safe transforms
- Add ALLOWED_DESERIALIZE_TYPES allowlist to from_serializable_dict()
  preventing arbitrary class instantiation from API input
- Update security contact email and add v0.8.1 security fixes to
  SECURITY.md with researcher acknowledgment
- Add 17 security tests covering both fixes
This commit is contained in:
unclecode
2026-01-30 08:46:01 +00:00
parent ad5ebf166a
commit 0104db6de2
4 changed files with 288 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
SECURITY.md
View File

@@ -24,7 +24,7 @@ Instead, please report via one of these methods:
- Fill in the details
2. **Email**
- Send details to: aravind@crawl4ai.com and nasrin@crawl4ai.com
- Send details to: unclecode@crawl4ai.com (CC: nasrin@crawl4ai.com and aravind@crawl4ai.com)
- Use subject: `[SECURITY] Brief description`
- Include:
- Description of the vulnerability
@@ -98,10 +98,21 @@ When using Crawl4AI as a Python library:
| CVE-pending-1 | CRITICAL | RCE via hooks `__import__` | Removed from allowed builtins |
| CVE-pending-2 | HIGH | LFI via `file://` URLs | URL scheme validation added |
### Fixed in v0.8.1
| ID | Severity | Description | Fix |
|----|----------|-------------|-----|
| CVE-pending-3 | CRITICAL | RCE via deserialization + `eval()` in `/crawl` endpoint | Allowlisted deserializable types; AST-validated computed field expressions |
See [Security Advisory](https://github.com/unclecode/crawl4ai/security/advisories) for details.
## Security Features
### v0.8.1+
- **Deserialization Allowlist**: Only known-safe types can be instantiated via API config
- **Safe Expression Evaluation**: Computed fields use AST validation (no `__import__`, no dunder access)
### v0.8.0+
- **URL Scheme Validation**: Blocks `file://`, `javascript:`, `data:` URLs on API
@@ -115,7 +126,8 @@ See [Security Advisory](https://github.com/unclecode/crawl4ai/security/advisorie
We thank the following security researchers for responsibly disclosing vulnerabilities:
- **[Neo by ProjectDiscovery](https://projectdiscovery.io/blog/introducing-neo)** - RCE and LFI vulnerabilities (December 2025)
- **Alec M** — RCE via deserialization in `/crawl` endpoint (January 2026)
- **[Neo by ProjectDiscovery](https://projectdiscovery.io/blog/introducing-neo)** — RCE and LFI vulnerabilities (December 2025)
---