CVE-2025-67743
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Local Deep Research's download service. Attackers can submit malicious URLs through the API to access internal services, cloud metadata endpoints, and perform network reconnaissance. Users running versions 1.3.0 through 1.3.8 are affected.
💻 Affected Systems
- Local Deep Research
📦 What is this software?
Local Deep Research by Learningcircuit
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of cloud infrastructure via metadata endpoint access leading to credential theft, lateral movement to internal systems, and data exfiltration.
Likely Case
Internal network reconnaissance, access to internal services, and potential cloud metadata harvesting depending on deployment environment.
If Mitigated
Limited to internal network scanning if proper network segmentation and egress filtering are in place.
🎯 Exploit Status
Exploitation requires API access but is straightforward once authenticated. SSRF techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.9
Vendor Advisory: https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-9c54-gxh7-ppjc
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update to version 1.3.9 via pip: 'pip install --upgrade local-deep-research==1.3.9'. 3. Restart the application service.
🔧 Temporary Workarounds
Network Egress Filtering
allBlock outbound HTTP requests from the application to internal IP ranges and cloud metadata endpoints.
API Rate Limiting
allImplement strict rate limiting on the download API endpoint to limit reconnaissance attempts.
🧯 If You Can't Patch
- Implement network segmentation to isolate the application from internal services and cloud metadata endpoints.
- Deploy a web application firewall (WAF) with SSRF protection rules to filter malicious URL requests.
🔍 How to Verify
Check if Vulnerable:
Check if download_service.py uses raw requests.get() instead of safe_requests.py. Review code or check version.Check Version:
python -c "import local_deep_research; print(local_deep_research.__version__)"Verify Fix Applied:
Verify download_service.py imports and uses safe_requests module for HTTP requests.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the application to internal IPs or metadata endpoints
- Multiple failed download attempts with unusual URL patterns
Network Indicators:
- HTTP requests from application server to 169.254.169.254 (AWS metadata), 169.254.169.254 (GCP), or 169.254.169.254 (Azure)
- Outbound requests to RFC1918 addresses from application
SIEM Query:
source="application.log" AND (url CONTAINS "169.254.169.254" OR url CONTAINS "metadata" OR url MATCHES "10\.\d+\.\d+\.\d+" OR url MATCHES "192\.168\.\d+\.\d+" OR url MATCHES "172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+")