PT-2026-53395 · Pypi · Browser-Use

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.3

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Summary

During a manual source code review, ARIMLABS.AI researchers identified that the browser use module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications.

Details

File: browser use/browser/context.py
The BrowserContextConfig class defines an allowed domains list, which is intended to limit accessible domains. This list is checked in the is url allowed() method before navigation:
python
@dataclass
 class BrowserContextConfig:
  """
  [STRIPPED]
  """
  cookies file: str | None = None
  minimum wait page load time: float = 0.5
  wait for network idle page load time: float = 1
  maximum wait page load time: float = 5
  wait between actions: float = 1

  disable security: bool = True

  browser window size: BrowserContextWindowSize = field(default factory=lambda: {'width': 1280, 'height': 1100})
  no viewport: Optional[bool] = None

  save recording path: str | None = None
  save downloads path: str | None = None
  trace path: str | None = None
  locale: str | None = None
  user agent: str = (
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'
  )

  highlight elements: bool = True
  viewport expansion: int = 500
  allowed domains: list[str] | None = None
  include dynamic attributes: bool = True

   force keep context alive: bool = False
The is url allowed() method is responsible for checking whether a given URL is permitted:
python
def is url allowed(self, url: str) -> bool:
  """Check if a URL is allowed based on the whitelist configuration."""
  if not self.config.allowed domains:
    return True

  try:
    from urllib.parse import urlparse

    parsed url = urlparse(url)
    domain = parsed url.netloc.lower()

    # Remove port number if present
    if ':' in domain:
      domain = domain.split(':')[0]

    # Check if domain matches any allowed domain pattern
    return any(
      domain == allowed domain.lower() or domain.endswith('.' + allowed domain.lower())
      for allowed domain in self.config.allowed domains
    )
  except Exception as e:
    logger.error(f'Error checking URL allowlist: {str(e)}')
    return False
The core issue stems from the line domain = domain.split(':')[0], which allows an attacker to manipulate basic authentication credentials by providing a username:password pair. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.

Proof of Concept (PoC)

Set allowed domains to ['example.com'] and use the following URL:
This allows bypassing all whitelist controls and accessing restricted internal services.

Impact

  • Affected all users relying on this functionality for security.
  • Potential for unauthorized enumeration of localhost services and internal networks.
  • Ability to bypass domain whitelisting, leading to unauthorized browsing.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-300

Affected Products

Browser-Use