What happened
Prior to Crawl4AI 0.8.7, the _safe_eval_expression() function used an AST validator that blocked only attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do not start with underscores but provide access to the interpreter's execution environment. An attacker supplying a crafted computed-field expression can escape the sandbox and achieve arbitrary code execution. CVSS 9.8 Critical, published 2026-06-23.
Why it matters
Crawl4AI is explicitly designed as an LLM-friendly web scraper and is widely used to feed data into RAG pipelines and AI agents. Exploitation allows injected web content (via crawled pages) to achieve server-side RCE when processed through computed fields — a direct prompt-to-code-execution path for AI data pipelines.
Attack vector
Attacker supplies a malicious computed-field expression using generator/frame object attributes (e.g. gi_frame.f_back.f_builtins) to escape the AST sandbox and execute arbitrary Python
Affected systems
Crawl4AI < 0.8.7
Mitigation
Upgrade to Crawl4AI 0.8.7. Advisory: https://github.com/unclecode/crawl4ai/security/advisories/GHSA-qxjp-w3pj-48m7