Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5882-5rx9-xgxp: Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter

A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands.

Attack Vector:

POST /crawl
{
  "urls": ["https://example.com"],
  "hooks": {
    "code": {
      "on_page_context_created": "async def hook(page, context, **kwargs):\n    __import__('os').system('malicious_command')\n    return page"
    }
  }
}

Impact

An unauthenticated attacker can:

  • Execute arbitrary system commands
  • Read/write files on the server
  • Exfiltrate sensitive data (environment variables, API keys)
  • Pivot to internal network services
  • Completely compromise the server

Mitigation

  1. Upgrade to v0.8.0 (recommended)
  2. If unable to upgrade immediately:
    • Disable the Docker API
    • Block /crawl endpoint at network level
    • Add authentication to the API

Fix Details

  1. Removed __import__ from allowed_builtins in hook_manager.py
  2. Hooks disabled by default (CRAWL4AI_HOOKS_ENABLED=false)
  3. Users must explicitly opt-in to enable hooks

Credits

Discovered by Neo by ProjectDiscovery (https://projectdiscovery.io)

ghsa
Open in Source
#vulnerability#js#git#intel#rce#auth#docker

Skip to content

Navigation Menu

    • AI CODE CREATION

      • GitHub CopilotWrite better code with AI

      • GitHub SparkBuild and deploy intelligent apps

      • GitHub ModelsManage and compare prompts

      • MCP RegistryNewIntegrate external tools

View all features
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-5882-5rx9-xgxp

Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter

Critical severity GitHub Reviewed Published Jan 16, 2026 in unclecode/crawl4ai • Updated Jan 16, 2026

Package

pip Crawl4AI (pip)

Affected versions

< 0.8.0

Description

A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The import builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands.

Attack Vector:

POST /crawl { "urls": [“https://example.com”], "hooks": { "code": { "on_page_context_created": “async def hook(page, context, **kwargs):\n __import__(‘os’).system(‘malicious_command’)\n return page” } } }

Impact

An unauthenticated attacker can:

  • Execute arbitrary system commands
  • Read/write files on the server
  • Exfiltrate sensitive data (environment variables, API keys)
  • Pivot to internal network services
  • Completely compromise the server

Mitigation

  1. Upgrade to v0.8.0 (recommended)
  2. If unable to upgrade immediately:
    • Disable the Docker API
    • Block /crawl endpoint at network level
    • Add authentication to the API

Fix Details

  1. Removed import from allowed_builtins in hook_manager.py
  2. Hooks disabled by default (CRAWL4AI_HOOKS_ENABLED=false)
  3. Users must explicitly opt-in to enable hooks

Credits

Discovered by Neo by ProjectDiscovery (https://projectdiscovery.io)

References

  • GHSA-5882-5rx9-xgxp
  • https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
  • https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md

Published to the GitHub Advisory Database

Jan 16, 2026

Last updated

Jan 16, 2026

EPSS score

ghsa: Latest News

GHSA-8qq5-rm4j-mr97: node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
ghsa