GHSA-f54f-hr32-586f – browser-use

Package

Manager: pip
Name: browser-use
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-x39x-9qw5-ghrf. This link is maintained to preserve external references. # Original Description In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.

Metadata

Created: 2025-05-03T21:30:23Z
Modified: 2025-05-05T18:24:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-f54f-hr32-586f/GHSA-f54f-hr32-586f.json
CWE IDs: ["CWE-647"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0