CVE-2025-57806: 
Python vulnerability analysis and mitigation

Local Deep Research, an AI-powered research assistant for deep, iterative research, was found to have a security vulnerability (CVE-2025-57806) affecting versions 0.2.0 through 0.6.7. The vulnerability involved storing confidential information, including API keys, in a local SQLite database without encryption. The issue was discovered and disclosed on September 2, 2025, and has been fixed in version 1.0.0 (GitHub Advisory).

The vulnerability stemmed from storing sensitive data in plaintext within a SQLite database without proper encryption. The database location was not configurable, and the unencrypted storage behavior was not clearly documented except in the database architecture documentation. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The weakness has been categorized under CWE-312 (Cleartext Storage of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials) (GitHub Advisory).

The vulnerability allowed anyone with access to the container or host filesystem to retrieve sensitive data, including API keys, in plaintext by accessing the .db file. This could lead to unauthorized access to confidential information if the SQLite database file was exposed (GitHub Advisory).

The vulnerability has been fixed in version 1.0.0 with several security improvements: the database is now fully encrypted, database location is configurable, and API keys can be set via environment variables. Users are advised to upgrade to version 1.0.0 or later to address this security issue (GitHub Release, GitHub Advisory).