Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network endpoint (AV:N/PR:N), but exploitation requires winning a TOCTOU race and symlink staging (AC:H); arbitrary write enables full host compromise when runtime user can write executables.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations.
AnalysisAI
Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target must be a Crawl4AI Docker API server <= 0.8.7 exposing the POST /screenshot or POST /pdf endpoints with the default unauthenticated configuration (CRAWL4AI_API_TOKEN unset). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 of 9.2 (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H) reflects an unauthenticated network-reachable write with high attack complexity and a present attack requirement - the attacker must win a TOCTOU race or pre-position a symlink, which is non-trivial but feasible against a long-lived container. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reachable to an unauthenticated Crawl4AI Docker server sends repeated POST /screenshot or POST /pdf requests with an output_path that points through a directory the attacker can race or pre-symlink, swapping in a symlink targeting /etc/cron.d/ or a binary the runtime user can overwrite. Winning the TOCTOU race between validate_output_path and the open() call writes attacker-controlled image/PDF bytes outside ALLOWED_OUTPUT_DIR; on hosts where the container runs as a user with write access to executable or cron paths, this yields code execution at the next scheduler tick. … |
| Remediation | Vendor-released patch: upgrade pip package crawl4ai to 0.8.8 or later, which resolves the real path of the output_path parent, re-checks containment after symlink resolution, and writes with O_NOFOLLOW (see PR https://github.com/unclecode/crawl4ai/pull/3 and advisory https://github.com/unclecode/crawl4ai/security/advisories/GHSA-7cx2-g3h9-382p). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all deployments of Crawl4AI versions prior to 0.8.8 to identify instances exposed on untrusted networks; determine if the /screenshot and /pdf endpoints can be safely disabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbit
Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code i
Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a mal
Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to
Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code
Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attack
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into f
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers r
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vuln
Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overw
Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attacker
Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated clie
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38432
GHSA-wx2c-3cp2-f6qw