-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| local-deep-research | pip | > 0.2.0, < 1.0.0 | 1.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from the systemic use of an unencrypted SQLite database to store all application settings, including sensitive API keys. The analysis of the patch commit 5a9af8e6bec2e0fbaaf9810c1398f5b429588243 reveals a major architectural overhaul to address this. The core of the fix was the introduction of per-user, encrypted databases using SQLCipher, managed by the new DatabaseManager class in src/local_deep_research/database/encrypted_db.py.
The identified vulnerable functions were the key components of the previous insecure architecture:
ensure_database_initialized: This function, now removed, was responsible for creating the unencrypted database file, laying the foundation for the vulnerability.get_db_setting: This utility function, also removed, provided a direct interface for any part of the application to read settings from the unencrypted database, making it a primary vector for data exposure.SettingsManager.get_setting and SettingsManager.set_setting: These methods in the SettingsManager class were the main entry points for retrieving and storing settings. Before the patch, they operated on the unencrypted database, directly leading to the plaintext storage of API keys and other secrets.The patch replaces this insecure system with a robust, secure one that requires user authentication and stores all user data, including settings and API keys, in individual, encrypted databases. This change is evident from the addition of dependencies like flask-login and sqlcipher3, and the creation of new modules for authentication and encrypted database management.