PyPI: initrunner
SFTY-20260226-82809
Safety legacy ID: pyup.io-87479
Affected versions of the initrunner package are vulnerable to filter injection due to unescaped single quotes being interpolated into Zvec filter expressions. The initrunner/stores/zvec_store.py methods that build filter=... strings (e.g., delete_by_filter(...) and collection query(...) calls using source, agent_name, and session_id) did not escape ', allowing crafted values to break out of the intended string predicate. https://github.com/vladkesler/initrunner/commit/5e6fa42828b4b304493bb86ebde06feb41f57b0b
Overview
Affected versions of the initrunner package are vulnerable to filter injection due to unescaped single quotes being interpolated into Zvec filter expressions. The initrunner/stores/zvec_store.py methods that build filter=... strings (e.g., delete_by_filter(...) and collection query(...) calls using source, agent_name, and session_id) did not escape ', allowing crafted values to break out of the intended string predicate. https://github.com/vladkesler/initrunner/commit/5e6fa42828b4b304493bb86ebde06feb41f57b0b
Advisory
Affected versions of the initrunner package are vulnerable to filter injection due to unescaped single quotes being interpolated into Zvec filter expressions. The initrunner/stores/zvec_store.py methods that build filter=... strings (e.g., delete_by_filter(...) and collection query(...) calls using source, agent_name, and session_id) did not escape ', allowing crafted values to break out of the intended string predicate. https://github.com/vladkesler/initrunner/commit/5e6fa42828b4b304493bb86ebde06feb41f57b0b
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more