Headline
GHSA-4h8c-qrcq-cv5c: Local Deep Research's API keys are stored in plain text
Affected Versions: > 0.2.0 and < 1.0.0 Patched Versions: >= 1.0.0
Description:
The library stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location. As a result, anyone with access to the container or host filesystem could retrieve sensitive data in plaintext by accessing the .db file.
Impact: Unauthorized access to API keys and other confidential data if the SQLite database file was exposed.
Fixed in Version 1.0.0:
- Database is fully encrypted
- Database location is configurable
- API keys can be set via environment variables (this capability existed in earlier versions)
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-57806
Local Deep Research’s API keys are stored in plain text
Package
pip local-deep-research (pip)
Affected versions
> 0.2.0, < 1.0.0
Affected Versions: > 0.2.0 and < 1.0.0
Patched Versions: >= 1.0.0
Description:
The library stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location. As a result, anyone with access to the container or host filesystem could retrieve sensitive data in plaintext by accessing the .db file.
Impact:
Unauthorized access to API keys and other confidential data if the SQLite database file was exposed.
Fixed in Version 1.0.0:
- Database is fully encrypted
- Database location is configurable
- API keys can be set via environment variables (this capability existed in earlier versions)
References
- GHSA-4h8c-qrcq-cv5c
- LearningCircuit/local-deep-research#578
- LearningCircuit/local-deep-research@5a9af8e
Published to the GitHub Advisory Database
Sep 2, 2025