Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter

Vulnerability

Overview

Crawl4AI versions prior to 0.8.0 contain a critical remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules such as os and subprocess and execute system commands [1][2][3]. This design flaw allowed direct shell access without authentication, leading to full server compromise.

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the Docker API's /crawl endpoint with a malicious hooks parameter. No authentication is required. The vulnerability is only present in the Docker API deployment; users of the Python library directly are not affected [2][3]. The attack surface is the exposed Docker API endpoint, which if reachable over the network, can be targeted by any unauthenticated remote attacker.

Impact

Successful exploitation grants arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks [1]. The severity is rated CRITICAL with a CVSS score of 10.0 [3][4]. An attacker can completely compromise the server hosting the Crawl4AI Docker API.

Mitigation

The vulnerability is fixed in Crawl4AI v0.8.0, released in January 2026. The fix removed __import__ from the allowed builtins and disabled hooks by default (enabled only via CRAWL4AI_HOOKS_ENABLED=true) [2][3][4]. Users are strongly advised to update immediately. Additionally, file:// URLs were blocked to address a related Local File Inclusion vulnerability [3][4].