Listen to this Post
The vulnerability arises from a logical flaw in the URL validation mechanism of local-deep-research versions v1.3.0 through v1.6.9. The project uses a function `validate_url` to sanitize user-supplied URLs before making HTTP requests with the `requests` library. This validator relies on `urllib.parse.urlparse()` to extract the hostname and then blocks requests to internal IP addresses (e.g., 127.0.0.1) to prevent Server-Side Request Forgery (SSRF). However, a critical parsing discrepancy exists between `urlparse()` and the underlying parser used by requests.get(), which is urllib3. When a URL contains a backslash (\) before the `@` symbol, the two parsers interpret the destination host differently. For the malicious URL http://127.0.0.1:6666\@1.1.1.1`, `urlparse()` treats the backslash as a regular character and the `@` as the userinfo-host delimiter, thus extracting the hostname as `1.1.1.1` (a public IP). This passes the SSRF check because the address is not internal. In contrast, `requests` (viaurllib3) interprets the backslash as a path character, effectively ignoring it and connecting to `127.0.0.1:6666` – an internal address. This discrepancy allows an attacker to bypass the validator completely. The `safe_get` function first calls `validate_url` (which sees1.1.1.1) and then calls `requests.get` (which connects to127.0.0.1). The proof-of-concept URLhttp://127.0.0.1:6666\@1.1.1.1` demonstrates the bypass. The maintainers confirmed the issue and fixed it in v1.6.10 by rejecting URLs containing backslashes (RFC 3986 forbidden characters) and switching host extraction to `urllib3.util.parse_url().host` to align validation with the actual request library. Additional patches blocked IPv6 transition prefixes and redacted userinfo from logs. The vulnerability affects all versions from v1.3.0 (when `validate_url` was introduced) through v1.6.9, as well as any version before v1.3.0 that had no SSRF validator at all.
DailyCVE Form:
Platform: local-deep-research
Version: v1.3.0-v1.6.9
Vulnerability: SSRF parser bypass
Severity: Critical
date: 2026-05-15
Prediction: 2026-05-10
What Undercode Say:
Check installed version
pip show local-deep-research | grep Version
PoC curl command demonstrating SSRF (if vulnerable)
curl -v "http://127.0.0.1:6666\@1.1.1.1"
Python test script to confirm the bypass
python3 -c "
import requests
url = 'http://127.0.0.1:6666\\@1.1.1.1'
try:
r = requests.get(url, timeout=5)
print(f'Connected to {r.url}')
except Exception as e:
print(e)
"
Exploit:
Use the URL http://127.0.0.1:6666\@1.1.1.1` as input to any endpoint that triggers `safe_get` (e.g., a research query that fetches external content). The validator will approve the public host1.1.1.1, but the actual request will be sent to internal127.0.0.1:6666. An attacker can target internal services (metadata endpoints, internal APIs, Redis, etc.) on port 6666 or any other port by changing the port number. The backslash can be URL-encoded as `%5C` in some contexts, but the raw backslash works directly.`), ASCII control bytes, or whitespace. Replace `urllib.parse.urlparse(url).hostname` with `urllib3.util.parse_url(url).host` to ensure the validator and HTTP client use the same parser. Alternatively, disable the vulnerable feature or implement a network-level allowlist for outbound requests.
<h2 style="color: blue;">Protection:</h2>
Upgrade to local-deep-research v1.6.10 or later. If upgrading is not possible, manually patch `security/ssrf_validator.py` to reject any URL containing a backslash (
Impact:
Successful SSRF allows an attacker to probe internal networks, access cloud metadata endpoints (e.g., AWS IMDS at 169.254.169.254), interact with internal services, read configuration files, or launch further attacks against internal systems. In cloud environments, this can lead to credential theft and privilege escalation. The attacker can bypass all host-based SSRF defenses because the validation logic sees a safe public IP while the actual request hits an internal target.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

