Local Deep Research is an AI-powered research assistant for deep, iterative research. It's a Python-based tool designed to assist researchers in their work. The vulnerability discovered allows attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API.
You're affected if you use Local Deep Research versions 1.3.0 to before 1.3.9. If you don't recognise this software, you're probably not affected. Check with your IT department or a researcher familiar with Local Deep Research to confirm.
Upgrade to version 1.3.9 or later from the official GitHub repository: https://github.com/LearningCircuit/local-deep-research/releases/tag/1.3.9.
- Immediate mitigations:
- Restrict network access to your Local Deep Research instance (firewall it from the public internet).
- Audit admin account activity for suspicious access patterns.
- Monitor for unauthorized token creation.