From 0325703901f1bc48c34d286ad8f4919a97e54f1a Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Thu, 19 Mar 2026 21:33:59 -0400 Subject: [PATCH] fix: gate callback string resolution behind CREWAI_DESERIALIZE_CALLBACKS env var --- lib/crewai/src/crewai/types/callback.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/crewai/src/crewai/types/callback.py b/lib/crewai/src/crewai/types/callback.py index ad201a0d4..8c35ddca0 100644 --- a/lib/crewai/src/crewai/types/callback.py +++ b/lib/crewai/src/crewai/types/callback.py @@ -11,6 +11,7 @@ from __future__ import annotations from collections.abc import Callable import importlib import inspect +import os from typing import Annotated, Any import warnings @@ -75,6 +76,12 @@ def string_to_callable(value: Any) -> Callable[..., Any]: raise ValueError( f"Invalid callback path {value!r}: expected 'module.name' format" ) + if not os.environ.get("CREWAI_DESERIALIZE_CALLBACKS"): + raise ValueError( + f"Refusing to resolve callback path {value!r}: " + "set CREWAI_DESERIALIZE_CALLBACKS=1 to allow. " + "Only enable this for trusted checkpoint data." + ) return _resolve_dotted_path(value)