Fix #5446: Prevent RCE via unvalidated dynamic module import in load_agent_from_repository

[devin-ai-integration]

Summary

Fixes a critical Remote Code Execution vulnerability (#5446) in load_agent_from_repository. When loading agents from the CrewAI Plus API, the tool["module"] and tool["name"] fields were passed directly to importlib.import_module() and getattr() without any validation. An attacker who controls or compromises the API response could force the victim to import arbitrary Python modules (e.g. subprocess.Popen) and execute arbitrary code.

Changes

lib/crewai/src/crewai/utilities/agent_utils.py:

• Added ALLOWED_TOOL_MODULE_PREFIXES constant — a strict allowlist of trusted module prefixes (crewai_tools., crewai.tools.)
• Added _is_trusted_tool_module() helper to validate module paths against the allowlist
• Before importing, the tool module path is now checked against the allowlist; untrusted modules raise AgentRepositoryError
• After importing, the resolved class is validated to be a BaseTool subclass before instantiation
• Moved import importlib from local scope to module-level import

lib/crewai/tests/utilities/test_agent_utils.py:

• Added TestIsTrustedToolModule (11 tests) — validates allowlist logic for trusted prefixes, dangerous modules, partial matches, and edge cases
• Added TestAllowedToolModulePrefixes (2 tests) — ensures the constant contains expected prefixes and no dangerous ones
• Added TestLoadAgentFromRepositoryModuleValidation (7 tests) — integration tests covering the exact attack vector from the issue (subprocess.Popen), os module, arbitrary modules, non-BaseTool class rejection, trusted module acceptance, non-tool attribute passthrough, and mixed malicious/legitimate tool lists

Review & Testing Checklist for Human

• Verify that the allowlist prefixes (crewai_tools., crewai.tools.) cover all legitimate tool module paths used in production repository agent definitions
• If there are other trusted module prefixes for tools (e.g. third-party integrations), they may need to be added to ALLOWED_TOOL_MODULE_PREFIXES
• Test loading a real agent from the CrewAI Plus API with from_repository to confirm tools still load correctly end-to-end
• Consider whether TLS certificate pinning for the PlusAPI endpoint would add further defense-in-depth

Notes

• The fix is intentionally strict — only modules under crewai_tools. and crewai.tools. are allowed. This is a security-critical path and an allowlist is safer than a denylist.
• The BaseTool subclass check acts as a second layer of defense even if a module passes the prefix check.
• All 82 tests in test_agent_utils.py pass, including the 20 new ones. Ruff lint passes cleanly.

Link to Devin session: https://app.devin.ai/sessions/5d8f71d83cac40ae8805c1139726c27f

---

Note

High Risk
Adds strict validation to dynamic tool imports when loading agents from the repository API, which can impact any users relying on custom/non-allowlisted tool modules. Security-critical path change; mistakes in allowlist or type checks could break legitimate agents but reduces RCE risk.

Overview
Closes an RCE vector in load_agent_from_repository by blocking untrusted dynamic imports from repository-supplied tool metadata.

Tool loading now enforces an allowlist (ALLOWED_TOOL_MODULE_PREFIXES) via _is_trusted_tool_module, and additionally verifies the resolved symbol is a BaseTool subclass before instantiation; errors are surfaced as AgentRepositoryError without being masked by generic exception handling.

Adds comprehensive tests covering allowlist edge cases and end-to-end rejection of malicious modules/classes (e.g. subprocess.Popen, os.system), plus a positive-path load of an allowed crewai_tools.* tool.

^{Reviewed by Cursor Bugbot for commit 3c8d2d2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

Prompt hidden (unlisted session)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3c8d2d2. Configure here.}

[cursor]

Allowlist rejects the actual production module path format

High Severity

The ALLOWED_TOOL_MODULE_PREFIXES only contains "crewai_tools." and "crewai.tools." (with trailing dots), but the existing tests in test_agent.py (lines 2086, 2091, 2123, 2147) show the CrewAI Plus API actually returns "module": "crewai_tools" (without a trailing dot or submodule) for tools like SerperDevTool and FileReadTool. Since "crewai_tools".startswith("crewai_tools.") is False, all legitimate tool imports using the bare package name will be rejected as untrusted, breaking repository agent loading in production.

Additional Locations (1)

• lib/crewai/src/crewai/utilities/agent_utils.py#L1099-L1104

 

^{Reviewed by Cursor Bugbot for commit 3c8d2d2. Configure here.}