Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Remote attacker-controlled content with low complexity and no victim auth (PR:N) but requires the victim to crawl it (UI:R); arbitrary write outside the intended dir changes scope (S:C) and yields RCE, so C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path or traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents; the HTTP crawler path uses the response Content-Disposition filename and the browser crawler path uses the download's suggested filename. Because the written bytes are attacker-controlled, this can escalate to remote code execution. This issue is fixed in version 0.9.0.
AnalysisAI
Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a Crawl4AI instance prior to 0.9.0 downloads and saves a file originating from attacker-controlled content - specifically the HTTP crawler path is triggered when the malicious server sets a crafted Content-Disposition filename (absolute path or ../ traversal), and the browser crawler path is triggered when a download's suggested filename is crafted; file-download handling must be exercised by the crawl. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are broadly consistent toward high priority but with one important caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up (or compromises) a website that a target's Crawl4AI-based pipeline will crawl, and serves a file whose Content-Disposition header (HTTP path) or browser-suggested download name (browser path) contains a traversal/absolute path such as ../../../../home/app/.bashrc or a path into a Python site-packages module, with malicious contents. When the crawler downloads and saves the file, the bytes are written outside the downloads directory to an execution-relevant location, and code runs the next time that file is loaded or the process/user starts a shell. … |
| Remediation | Vendor-released patch: upgrade to Crawl4AI 0.9.0, which fixes the unsafe filename handling (see advisory GHSA-2jq4-q6vv-4cp3 and commit 60886d1a0c52682e4c83a7cef9dfac417fff6bd2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Crawl4AI; immediately restrict crawler operations to whitelisted, trusted domains only; disable processing of untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbit
Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code i
Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to
Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED
Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code
Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attack
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into f
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers r
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vuln
Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overw
Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attacker
Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated clie
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41934