In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade Crawl4AI to version 0.9.0 or higher.
Crawl4AI is a 🚀🤖 Crawl4AI: Open-source LLM Friendly Web Crawler & scraper
Affected versions of this package are vulnerable to Symlink Attack via the download process. An attacker can overwrite arbitrary files with attacker-controlled content by supplying crafted filenames containing absolute paths or directory traversal sequences, which are then written outside the intended downloads directory. This can lead to execution of malicious code by overwriting files such as shell rc-files, ~/.ssh/authorized_keys, cron entries, or Python modules on the import path. This is only exploitable if the crawler is run with sufficient privileges or in an environment where sensitive paths are writable.
This vulnerability can be mitigated by running the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable, or by enabling authentication (CRAWL4AI_API_TOKEN) on the Docker server.