Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Title source: cnaExploitation Summary
EIP tracks 3 public exploits for CVE-2026-53753. PoCs published by thecodeb0ss, 0xEnc0der, BiiTts.
AI-analyzed exploit summary The repository contains no actual exploit code, technical details, or vulnerability analysis. It uses vague language and directs users to an external Telegram channel for the PoC, which is a common social engineering tactic to lure researchers into malicious or monetized content.
Description
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.
Exploits (3)
The repository contains no actual exploit code, technical details, or vulnerability analysis. It uses vague language and directs users to an external Telegram channel for the PoC, which is a common social engineering tactic to lure researchers into malicious or monetized content.
This repository contains a functional exploit for CVE-2026-53753, targeting Crawl4AI <= 0.8.6. The exploit leverages an AST sandbox escape via generator frame manipulation to achieve pre-authentication remote code execution.
This repository contains a functional exploit for CVE-2026-53753, demonstrating an unauthenticated remote code execution (RCE) vulnerability in Crawl4AI < 0.8.7. The exploit leverages an AST sandbox escape in the `_safe_eval_expression()` function by walking the frame chain to access the real builtins and execute arbitrary commands.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H