YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
CrewAI SandboxPython Escape PoC
Proof of concept demonstrating that SandboxPython in CrewAI's CodeInterpreterTool has an incomplete module blocklist, allowing full sandbox escape.
The Bug
SandboxPython blocks 9 modules (os, sys, subprocess, etc.) but leaves 15 dangerous modules importable: pathlib, socket, http.client, ctypes, io, pickle, multiprocessing, threading, asyncio, urllib.request, signal, code, xml.etree, zipfile, tarfile.
Running the PoC
pip install crewai-tools
python poc_sandbox_escape.py
The PoC reproduces the exact SandboxPython class from source, verifies blocked modules are denied, then demonstrates 5 independent escapes:
- File read via
pathlibโ reads/etc/hostname - DNS resolution via
socketโ resolvesexample.com - HTTP request via
http.clientโ GETshttpbin.org/ip - File I/O via
io.openโ bypasses blockedopenbuiltin - C calls via
ctypesโ importsctypes.CDLL
Affected
- Package:
crewai-tools - File:
crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py - Class:
SandboxPython - Root cause: Blocklist (9 modules) instead of allowlist
CWE
CWE-693: Protection Mechanism Failure
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support