CVE-2026-57571
unclecode · crawl4ai
A path traversal vulnerability in crawl4ai allows attackers to perform arbitrary file writes by injecting malicious filenames during the crawling process, potentially leading to remote code execution.
Executive summary
A critical path traversal vulnerability in the crawl4ai library enables attackers to write arbitrary files to the host system, which can be leveraged to achieve remote code execution.
Vulnerability
The application fails to sanitize attacker-influenced filenames during file download operations, allowing for path traversal (CWE-22) and link following (CWE-59). An unauthenticated attacker can control the destination path of downloaded files, resulting in arbitrary file write capability.
Business impact
The ability to write arbitrary files to the filesystem with attacker-controlled content is a severe security risk that typically leads to Remote Code Execution (RCE). With a CVSS score of 9.6, this vulnerability could allow an attacker to gain full control over the server environment, leading to data exfiltration, system destruction, or further lateral movement within the network.
Remediation
Immediate Action: Update the crawl4ai library to version 0.9.0 or later to ensure proper filename sanitization and directory confinement.
Proactive Monitoring: Monitor the application’s file download directories for suspicious files or unexpected modifications to system configurations.
Compensating Controls: Deploy the application within a containerized environment with strictly enforced read-only filesystem policies or restricted write permissions to minimize the impact of a successful file write.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for remote code execution, this vulnerability should be treated with the highest urgency. Organizations utilizing crawl4ai should verify their dependency versions and apply the update to version 0.9.0 immediately to prevent unauthorized file system manipulation.