Local Deep Research’s API keys are stored in plain text

6.9 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0.

Basic Information

ID CVE-2025-57806

Source GitHub_M

Published Sep 3, 2025 at 00:47

Affected Product

Vendor LearningCircuit

Product local-deep-research

Version >= 0.2.0, < 1.0.0

Affected Versions LearningCircuit local-deep-research >= 0.2.0, < 1.0.0

CWE Classification

CWE-312 CWE-522

References

{
    "lastseen": "",
    "description": "Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0.",
    "published": "2025-09-03T00:47:24.262Z",
    "modified": "2025-09-03T00:47:24.262Z",
    "type": "cve",
    "title": "Local Deep Research's API keys are stored in plain text",
    "source": "GitHub_M",
    "references": "https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-4h8c-qrcq-cv5c\nhttps://github.com/LearningCircuit/local-deep-research/pull/578\nhttp://github.com/LearningCircuit/local-deep-research/releases/tag/v1.0.0",
    "id": "CVE-2025-57806",
    "bulletinFamily": "",
    "cwe": [
        "CWE-312",
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "LearningCircuit local-deep-research >= 0.2.0, < 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "local-deep-research",
    "version": ">= 0.2.0, < 1.0.0",
    "vendor": "LearningCircuit",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Local Deep Research’s API keys are stored in plain text_CVE-2025-57806