CVE-2025-47241

Name of the Vulnerable Software and Affected Versions Browser Use versions prior to 0.1.45

Description The issue arises from the mishandling of URL parsing of allowed domains, allowing userinfo to be placed in the authority component. This can lead to a whitelist bypass, exposing internal services. The vulnerability is caused by the line domain = domain.split(':')[0] in the is url allowed() method, which enables an attacker to manipulate basic authentication credentials. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.

Recommendations For Browser Use versions prior to 0.1.45, consider disabling the is url allowed() function until a patch is available. Restrict access to the browser use module to minimize the risk of exploitation. Avoid using the allowed domains list in the affected API endpoint until the issue is resolved. Update to a version that includes the fix for this vulnerability once it becomes available.