Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10.
AnalysisAI
SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.
Technical ContextAI
Local Deep Research (CPE: cpe:2.3:a:learningcircuit:local-deep-research:*:*:*:*:*:*:*:*) is a Python-based AI research assistant that fetches external URLs as part of its research pipeline. The vulnerable code path is the safe_get function, which calls validate_url for SSRF protection before passing the URL to requests.get. validate_url uses Python's urllib.parse.urlparse to extract the host and compare it against a blocklist of private IP ranges. The root cause (CWE-918, Server-Side Request Forgery) is a parser-differential: urlparse treats a backslash as an ordinary character and interprets the @ symbol as the userinfo-host separator, extracting the public host to the right of @. The requests library (backed by urllib3) treats backslash as a path delimiter, so the actual TCP connection is made to the host to the left of the backslash - an internal address that would normally be blocked. The same differential affected the NotificationURLValidator for HTTP/HTTPS notification URLs. The fix in v1.6.10 applies two layers: (1) an RFC_FORBIDDEN_URL_CHARS_RE regex in ssrf_validator.py that outright rejects URLs containing backslash, whitespace, or ASCII control bytes; and (2) replacing urlparse hostname extraction with urllib3.util.parse_url so the validator and HTTP client use the identical parser.
RemediationAI
Upgrade local-deep-research to version 1.6.10 or later via pip (pip install --upgrade local-deep-research). The fix is confirmed in the vendor release at https://github.com/LearningCircuit/local-deep-research/releases/tag/v1.6.10 and was delivered across PRs #3873, #3882, #3889, and #3932. If immediate upgrade is not possible, a compensating control is to restrict network egress from the host running Local Deep Research using firewall rules or a network policy that blocks outbound connections to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback (127.0.0.0/8) - this limits SSRF reachability but does not remediate the parser flaw itself, and misconfigured egress rules may leave cloud metadata endpoints exposed. Additionally, restrict access to the application to trusted users only until patching is complete, reducing exposure given the PR:L requirement.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32977
GHSA-g23j-2vwm-5c25