Fix SQL injection vulnerability in cache cleanup

Co-Authored-By: Joe Moura <joao@crewai.com>
2026-01-10 00:28:31 +00:00 · 2025-05-05 22:44:18 +00:00
parent 62de5a7989
commit 223683d8bd
1 changed files with 4 additions and 3 deletions
--- a/src/crewai/memory/storage/llm_response_cache_storage.py
+++ b/src/crewai/memory/storage/llm_response_cache_storage.py
@@ -228,10 +228,11 @@ class LLMResponseCacheStorage:
                logger.info("Deleting all cache entries (max_age_days <= 0)")
            else:
                cursor.execute(
-                    f"""
-                    DELETE FROM llm_response_cache
-                    WHERE timestamp < datetime('now', '-{max_age_days} days')
                    """
+                    DELETE FROM llm_response_cache
+                    WHERE timestamp < datetime('now', ? || ' days')
+                    """,
+                    (f"-{max_age_days}",)
                )
                deleted_count = cursor.rowcount