PyPI: local-deep-research
CVE-2025-67743
Safety vulnerability ID: SFTY-20251223-34836
Safety legacy ID: pyup.io-83244
Affected versions of the local-deep-research package are vulnerable to Server-Side Request Forgery (SSRF) due to the download service making outbound HTTP requests without applying the project’s SSRF validation. The issue occurs in src/local_deep_research/research_library/services/download_service.py, where _download_generic and related download paths call requests.get() directly instead of the guarded request helpers in security/safe_requests.py/security/ssrf_validator.py, and attacker-controlled URLs can be introduced via POST /api/resources/<research_id> (stored by resource_service.py:add_resource()) and later fetched via /library/api/download/<resource_id>.
Overview
Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service
Advisory
Affected versions of the local-deep-research package are vulnerable to Server-Side Request Forgery (SSRF) due to the download service making outbound HTTP requests without applying the project’s SSRF validation. The issue occurs in src/local_deep_research/research_library/services/download_service.py, where _download_generic and related download paths call requests.get() directly instead of the guarded request helpers in security/safe_requests.py/security/ssrf_validator.py, and attacker-controlled URLs can be introduced via POST /api/resources/<research_id> (stored by resource_service.py:add_resource()) and later fetched via /library/api/download/<resource_id>.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20251223-34836/CVE-2025-67743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67743
- https://github.com/LearningCircuit/local-deep-research/commit/b79089ff30c5d9ae77e6b903c408e1c26ad5c055
- https://github.com/advisories/GHSA-9c54-gxh7-ppjc
- https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-9c54-gxh7-ppjc
- https://nvd.nist.gov/vuln/detail/CVE-2025-67743
- https://github.com/LearningCircuit/local-deep-research/commit/b79089ff30c5d9ae77e6b903c408e1c26ad5c055
- https://github.com/advisories/GHSA-9c54-gxh7-ppjc
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more