fix: gate callback string resolution behind CREWAI_DESERIALIZE_CALLBACKS env var

2026-05-01 07:13:00 +00:00 · 2026-03-19 21:33:59 -04:00
parent c1abefbbf3
commit 0325703901
1 changed files with 7 additions and 0 deletions
--- a/lib/crewai/src/crewai/types/callback.py
+++ b/lib/crewai/src/crewai/types/callback.py
@@ -11,6 +11,7 @@ from __future__ import annotations
 from collections.abc import Callable
 import importlib
 import inspect
+import os
 from typing import Annotated, Any
 import warnings

@@ -75,6 +76,12 @@ def string_to_callable(value: Any) -> Callable[..., Any]:
        raise ValueError(
            f"Invalid callback path {value!r}: expected 'module.name' format"
        )
+    if not os.environ.get("CREWAI_DESERIALIZE_CALLBACKS"):
+        raise ValueError(
+            f"Refusing to resolve callback path {value!r}: "
+            "set CREWAI_DESERIALIZE_CALLBACKS=1 to allow. "
+            "Only enable this for trusted checkpoint data."
+        )
    return _resolve_dotted_path(value)