Local Deep Research
Monthly
SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.
SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.