andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-04-14 23:12:37 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
Files
8d68d356225c7d43c7b6a8f2c805fa7b2f6b3f0a
crewAI/lib
History
Devin AI 8d68d35622 fix: validate tool module imports in load_agent_from_repository to prevent RCE 
Add an allowlist of trusted module prefixes (crewai_tools., crewai.tools.) and
a BaseTool subclass check before dynamically importing and instantiating tool
classes from the repository API response.

Previously, tool['module'] and tool['name'] from the API were passed directly
to importlib.import_module() and getattr() without any validation, allowing
a compromised or MITM'd API to import arbitrary Python modules (e.g.
subprocess.Popen) and achieve Remote Code Execution.

Fixes #5446

Co-Authored-By: João <joao@crewai.com>
2026-04-14 07:33:22 +00:00
..
crewai
fix: validate tool module imports in load_agent_from_repository to prevent RCE
2026-04-14 07:33:22 +00:00
crewai-files
feat: bump versions to 1.14.2a3
2026-04-13 21:30:14 +08:00
crewai-tools
feat: bump versions to 1.14.2a3
2026-04-13 21:30:14 +08:00
devtools
feat: add resume hints to devtools release on failure
2026-04-14 01:26:29 +08:00