local-deep-research 0.5.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the local-deep-research package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the logging of sensitive configuration data by the `start_research` function in `local_deep_research.web.routes.research_routes` and the `run_research_process` function in `local_deep_research.web.services.research_service`. These functions write full settings snapshots (including API keys, tokens, and passwords) to application logs instead of using a redacting logger, allowing anyone with access to the logs to obtain sensitive secrets. How to fix Insertion of Sensitive Information into Log File? Upgrade `local-deep-research` to version 1.0.0 or higher.	[,1.0.0)
M Cross-site Scripting (XSS) local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via incomplete HTML sanitization in the client-side PDF export pipeline. An attacker can exploit this vulnerability by supplying crafted HTML or script payloads that bypass the regular expression–based filtering in the `downloadPdf` function in `src/local_deep_research/web/static/js/services/pdf.js`, resulting in arbitrary script execution in the user’s browser during PDF generation. How to fix Cross-site Scripting (XSS)? Upgrade `local-deep-research` to version 1.0.0 or higher.	[,1.0.0)
M Open Redirect local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Open Redirect via the `next_page` query parameter in the post-authentication redirection flow. An attacker can exploit this vulnerability by supplying a crafted `next_page` value to the `local_deep_research.web.auth.routes.login` handler, causing users to be redirected to an attacker-controlled domain after login, which can facilitate phishing attacks or credential theft. How to fix Open Redirect? Upgrade `local-deep-research` to version 1.0.0 or higher.	[,1.0.0)
M Improper Input Validation local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Improper Input Validation via the HTML entity decoding logic in the client-side PDF export pipeline. An attacker can exploit this vulnerability by supplying specially crafted input containing nested or malformed HTML entities that are double-unescaped in the `downloadPdf` function of the `src/local_deep_research/web/static/js/services/pdf.js` component, allowing encoded payloads to be transformed into executable markup after multiple decoding passes. How to fix Improper Input Validation? Upgrade `local-deep-research` to version 1.0.0 or higher.	[,1.0.0)
M Cleartext Storage of Sensitive Information local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a local SQLite database. An attacker can access sensitive information, including API keys, by obtaining local access to the filesystem or container where the database file is stored. How to fix Cleartext Storage of Sensitive Information? Upgrade `local-deep-research` to version 1.0.0 or higher.	[0.2.0,1.0.0)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Log File

local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the logging of sensitive configuration data by the start_research function in local_deep_research.web.routes.research_routes and the run_research_process function in local_deep_research.web.services.research_service. These functions write full settings snapshots (including API keys, tokens, and passwords) to application logs instead of using a redacting logger, allowing anyone with access to the logs to obtain sensitive secrets.

How to fix Insertion of Sensitive Information into Log File?