Issue Station
Sign In
Tools hereToolbox

crewai - ✅(Solved) Fix [Security] Path Traversal in CrewAI Knowledge Sources [1 pull requests, 2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
crewAIInc/crewAI#4547Fetched 2026-04-08 00:41:30
View on GitHub
Comments
2
Participants
2
Timeline
7
Reactions
0
Author
C4llmelainC4llmelain
Participants
C4llmelainC4llmelainVidit-OstwalVidit-Ostwal
Timeline (top)
commented ×2closed ×1cross-referenced ×1mentioned ×1

Fix Action

Fixed

PR fix notes

PR #4548: fix: prevent path traversal in knowledge source file paths (#4547)

Description (problem / solution / changelog)

fix: prevent path traversal in knowledge source file paths (#4547)

Summary

Adds path boundary validation to prevent path traversal attacks in knowledge source file path handling. Previously, convert_to_path() simply concatenated user-provided strings with KNOWLEDGE_DIRECTORY (e.g., Path("knowledge/" + path)), allowing ../ sequences to escape the knowledge directory and read arbitrary files on the system.

The fix uses Path.resolve() + Path.is_relative_to() to validate that the final resolved path remains within the knowledge directory, raising ValueError if it doesn't. Applied to three locations:

  • BaseFileKnowledgeSource.convert_to_path()
  • ExcelKnowledgeSource.convert_to_path()
  • CrewDoclingSource.validate_content() (inline path construction)

Review & Testing Checklist for Human

  • Path objects bypass validation: When a Path object (not a string) is passed, the traversal check is skipped entirely — only string inputs are validated. Verify this is acceptable for your threat model, since Path("../../etc/passwd") would not be caught.
  • Relative KNOWLEDGE_DIRECTORY + resolve(): KNOWLEDGE_DIRECTORY is "knowledge" (relative). Path("knowledge").resolve() resolves against CWD. Verify this behaves correctly in all deployment contexts (e.g., different working directories, symlinks).
  • test_valid_paths_still_work_in_convert_to_path passes a Path object, so it exercises the non-validated branch. Consider whether a test with a valid string path (e.g., "test_valid.txt" where knowledge/test_valid.txt exists) would better cover the happy path through the new validation logic.
  • Docling test will be skipped in environments without the docling package — the crew_docling_source.py fix may not be tested in CI.

Suggested manual test: instantiate a TextFileKnowledgeSource(file_paths=["../../../etc/passwd"]) and confirm it raises ValueError.

Notes

Changed files

  • lib/crewai/src/crewai/knowledge/source/base_file_knowledge_source.py (modified, +14/-2)
  • lib/crewai/src/crewai/knowledge/source/crew_docling_source.py (modified, +6/-1)
  • lib/crewai/src/crewai/knowledge/source/excel_knowledge_source.py (modified, +14/-2)
  • lib/crewai/tests/knowledge/test_knowledge.py (modified, +64/-0)

Code Example

def convert_to_path(self, path: Path | str) -> Path:
    return Path(KNOWLEDGE_DIRECTORY + "/" + path) if isinstance(path, str) else path

---

def convert_to_path(self, path: Path | str) -> Path:
    if isinstance(path, str):
        result = Path(KNOWLEDGE_DIRECTORY) / path
    else:
        result = Path(path)
    
    resolved = result.resolve()
    knowledge_dir = Path(KNOWLEDGE_DIRECTORY).resolve()
    
    if not resolved.is_relative_to(knowledge_dir):
        raise ValueError(f"Path '{path}' is outside allowed directory")
    
    return resolved
RAW_BUFFERClick to expand / collapse

@C4llmelain reports a security vulnerability in CrewAI Knowledge Sources.

Please see the attached detailed report.

The vulnerable code is in lib/crewai/src/crewai/knowledge/source/base_file_knowledge_source.py where the convert_to_path() method does not validate path boundaries, allowing path traversal attacks.

Vulnerability Details

When an application passes untrusted input to the file_path or file_paths parameter of these Knowledge Source classes, this vulnerability can be triggered.

The convert_to_path() method simply concatenates the user-provided path without verifying that the resolved path is within the allowed KNOWLEDGE_DIRECTORY:

def convert_to_path(self, path: Path | str) -> Path:
    return Path(KNOWLEDGE_DIRECTORY + "/" + path) if isinstance(path, str) else path

An attacker can use path traversal sequences such as "../" to escape the knowledge directory and read arbitrary files.

Impact

This is a library-level vulnerability. The final CVSS score will depend on the host application's exposure surface.

If the application exposes this API with untrusted user input, the attacker may be able to read files outside the intended knowledge directory.

Recommendation

Add path boundary validation in convert_to_path():

def convert_to_path(self, path: Path | str) -> Path:
    if isinstance(path, str):
        result = Path(KNOWLEDGE_DIRECTORY) / path
    else:
        result = Path(path)
    
    resolved = result.resolve()
    knowledge_dir = Path(KNOWLEDGE_DIRECTORY).resolve()
    
    if not resolved.is_relative_to(knowledge_dir):
        raise ValueError(f"Path '{path}' is outside allowed directory")
    
    return resolved

Reporter

C4llmelain

extent analysis

Fix Plan

To fix the path traversal vulnerability in the convert_to_path() method, follow these steps:

  • Update the convert_to_path() method to validate path boundaries.
  • Use the resolve() method to get the absolute path and check if it's within the allowed KNOWLEDGE_DIRECTORY.

Example Code

def convert_to_path(self, path: Path | str) -> Path:
    if isinstance(path, str):
        result = Path(KNOWLEDGE_DIRECTORY) / path
    else:
        result = Path(path)
    
    resolved = result.resolve()
    knowledge_dir = Path(KNOWLEDGE_DIRECTORY).resolve()
    
    if not resolved.is_relative_to(knowledge_dir):
        raise ValueError(f"Path '{path}' is outside allowed directory")
    
    return resolved

Verification

  • Test the updated convert_to_path() method with various input paths, including those with path traversal sequences (e.g., "../").
  • Verify that the method raises a ValueError when the resolved path is outside the allowed KNOWLEDGE_DIRECTORY.
  • Ensure that the method returns the correct resolved path when the input path is within the allowed directory.

Extra Tips

  • Always validate user-provided input to prevent security vulnerabilities.
  • Use the resolve() method to get the absolute path and check if it's within the allowed directory.
  • Consider using a library like pathlib to handle path operations and validation.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#autograd error#model compatibility#GPU setup#container setup#orchestration issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING