CVE-2025-67743

Name of the Vulnerable Software and Affected Versions Local Deep Research versions 1.3.0 through 1.3.8

Description The software is an AI-powered research assistant. A flaw exists in the download service (download service.py) where HTTP requests are made using raw requests.get() calls, bypassing the application’s Server-Side Request Forgery (SSRF) protection (safe requests.py). This allows attackers to potentially access internal services and cloud provider metadata endpoints (AWS/GCP/Azure), and conduct internal network reconnaissance by submitting malicious URLs through the API. The API is susceptible to malicious URLs.

Recommendations Update to version 1.3.9 or later.