fix: sql injection, prompt injection#4997
Merged
harshgupta-mem0 merged 6 commits intomainfrom Apr 28, 2026
Merged
Conversation
|
|
Member
|
@harshgupta-mem0 could you update the PR title and description to drop the PostHog env-variable bullet? The diff doesn't include those telemetry files, so the title/description and the actual changes are out of sync. |
harshgupta-mem0
changed the title
Contributor
Author
|
@whysosaket Done! Thanks for mentioning |
whysosaket
approved these changes
Apr 28, 2026
kartik-mem0
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes two categories of security vulnerabilities identified in the mem0 codebase:
1. SQL/CQL Injection in Vector Store Adapters
Table and keyspace names were interpolated directly into SQL/CQL queries using f-strings, which allows arbitrary query execution if an attacker controls the configuration values.
pgvector.py: Replaced all bare f-string table name interpolations with psycopg.sql.Identifier / psycopg2.sql.Identifier, the driver-native safe quoting mechanism. Also fixed col_info which embedded the name as a string literal inside pg_total_relation_size().
azure_mysql.py / cassandra.py: Added a validate_identifier() function that rejects any name not matching ^[a-zA-Z][a-zA-Z0-9_]{0,127}$ at init time. Also fixed Cassandra's list_cols() which embedded self.keyspace as a single-quoted string literal in a CQL query.
2. Prompt Injection in LLM Reranker
llm_reranker.py was embedding both the user search query and memory document content into a single formatted string sent as a user message, allowing either input to override the scoring instructions. Fixed by splitting instructions into a role=system message and user data into a separate role=user message. Also added 4000-character truncation on both inputs to prevent prompt flooding.
Type of Change
Bug fix (non-breaking change that fixes an issue)
Verified that:
Passing a malicious collection name (e.g. "x; DROP TABLE users") to AzureMySQL or CassandraDB raises ValueError at init time before any query executes.
PGVector uses sql.Identifier which double-quotes the table name, preventing injection while preserving correct quoting.
The LLM reranker sends scoring instructions as role=system and user data as role=user.
Setting MEM0_POSTHOG_API_KEY=test_key overrides the PostHog key in all Python telemetry modules.
Checklist