crewAIInc/crewAI: Command Injection and Sandbox Escape in CodeInterpreterTool #6977
Description
Package
- Ecosystem: pip
- Package name: crewai-tools
- Affected versions: All versions
- Patched versions: None (not yet patched)
Description
Two vulnerabilities exist in the CodeInterpreterTool:
1. Command Injection (CWE-78)
In `run_code_unsafe()`, user-provided library names are passed directly to `os.system()` without sanitization:
```python
for library in libraries_used:
os.system(f"pip install {library}") # Line 378-379
```
This allows command injection via malicious library names like `"numpy; malicious_command #"`.
2. Sandbox Escape (CWE-94/CWE-693)
The `SandboxPython` class attempts to create a restricted execution environment but fails to block Python object introspection methods (`class`, `bases`, `subclasses`). This allows complete sandbox bypass:
```python
for c in ().class.bases[0].subclasses():
if c.name == 'BuiltinImporter':
c.load_module('os').system('id')
```
Severity
- Command Injection: CVSS ~7.8 (High)
- Sandbox Escape: CVSS ~9.1 (Critical)
References
- GitHub Issue: [Security] Command Injection and Sandbox Escape in CodeInterpreterTool crewAIInc/crewAI#4516
- CWE-78: https://cwe.mitre.org/data/definitions/78.html
- CWE-94: https://cwe.mitre.org/data/definitions/94.html
Credit
optimus-fulcria