crewai-tools 1.13.0a3

Direct Vulnerabilities

Known vulnerabilities in the crewai-tools package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Server-side Request Forgery (SSRF) crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the RAG search tools not properly validating user-supplied URLs at runtime. An attacker can access internal or cloud resources by supplying crafted URLs. How to fix Server-side Request Forgery (SSRF)? Upgrade `crewai-tools` to version 1.14.0 or higher.	[,1.14.0)
C Arbitrary Code Injection crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper verification of the Docker runtime status, causing a fallback to a SandboxPython environment. An attacker can execute arbitrary code by exploiting this fallback mechanism. How to fix Arbitrary Code Injection? Upgrade `crewai-tools` to version 1.14.0a4 or higher.	[,1.14.0a4)
H Exposed Dangerous Method or Function crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the CodeInterpreter tool that fallbacks to SandboxPython when Docker is unreachable. An attacker can execute arbitrary code by invoking arbitrary C functions. Note: This issue affects users explicitly set `allow_code_execution=True` or if the Code Interpreter Tool is manually added to the agent by the developer. How to fix Exposed Dangerous Method or Function? Upgrade `crewai-tools` to version 1.14.0a4 or higher.	[,1.14.0a4)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

crewai-tools is a Set of tools for the crewAI framework

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the RAG search tools not properly validating user-supplied URLs at runtime. An attacker can access internal or cloud resources by supplying crafted URLs.

How to fix Server-side Request Forgery (SSRF)?

Upgrade crewai-tools to version 1.14.0 or higher.

[,1.14.0)

Arbitrary Code Injection

crewai-tools is a Set of tools for the crewAI framework

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper verification of the Docker runtime status, causing a fallback to a SandboxPython environment. An attacker can execute arbitrary code by exploiting this fallback mechanism.

How to fix Arbitrary Code Injection?

Upgrade crewai-tools to version 1.14.0a4 or higher.

[,1.14.0a4)

Exposed Dangerous Method or Function

crewai-tools is a Set of tools for the crewAI framework

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the CodeInterpreter tool that fallbacks to SandboxPython when Docker is unreachable. An attacker can execute arbitrary code by invoking arbitrary C functions.

Note:

This issue affects users explicitly set allow_code_execution=True or if the Code Interpreter Tool is manually added to the agent by the developer.

How to fix Exposed Dangerous Method or Function?

Upgrade crewai-tools to version 1.14.0a4 or higher.

[,1.14.0a4)

crewai-tools@1.13.0a3

Set of tools for the crewAI framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically