ghsa-x39x-9qw5-ghrf
Vulnerability from github
Published
2025-05-05 18:25
Modified
2025-05-05 18:25
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Summary
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL
Details

Summary

During a manual source code review, ARIMLABS.AI researchers identified that the browser_use module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications.

Details

File: browser_use/browser/context.py

The BrowserContextConfig class defines an allowed_domains list, which is intended to limit accessible domains. This list is checked in the _is_url_allowed() method before navigation:

```python @dataclass class BrowserContextConfig: """ [STRIPPED] """ cookies_file: str | None = None minimum_wait_page_load_time: float = 0.5 wait_for_network_idle_page_load_time: float = 1 maximum_wait_page_load_time: float = 5 wait_between_actions: float = 1

disable_security: bool = True

browser_window_size: BrowserContextWindowSize = field(default_factory=lambda: {'width': 1280, 'height': 1100})
no_viewport: Optional[bool] = None

save_recording_path: str | None = None
save_downloads_path: str | None = None
trace_path: str | None = None
locale: str | None = None
user_agent: str = (
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'
)

highlight_elements: bool = True
viewport_expansion: int = 500
allowed_domains: list[str] | None = None
include_dynamic_attributes: bool = True

_force_keep_context_alive: bool = False

The _is_url_allowed() method is responsible for checking whether a given URL is permitted:python def _is_url_allowed(self, url: str) -> bool: """Check if a URL is allowed based on the whitelist configuration.""" if not self.config.allowed_domains: return True

try:
    from urllib.parse import urlparse

    parsed_url = urlparse(url)
    domain = parsed_url.netloc.lower()

    # Remove port number if present
    if ':' in domain:
        domain = domain.split(':')[0]

    # Check if domain matches any allowed domain pattern
    return any(
        domain == allowed_domain.lower() or domain.endswith('.' + allowed_domain.lower())
        for allowed_domain in self.config.allowed_domains
    )
except Exception as e:
    logger.error(f'Error checking URL allowlist: {str(e)}')
    return False

`` The core issue stems from the linedomain = domain.split(':')[0]`, which allows an attacker to manipulate basic authentication credentials by providing a username:password pair. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.

Proof of Concept (PoC)

Set allowed_domains to ['example.com'] and use the following URL:

https://example.com:pass@localhost:8080

This allows bypassing all whitelist controls and accessing restricted internal services.

Impact

  • Affected all users relying on this functionality for security.
  • Potential for unauthorized enumeration of localhost services and internal networks.
  • Ability to bypass domain whitelisting, leading to unauthorized browsing.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.44"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "browser-use"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-647"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T18:25:04Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary  \nDuring a manual source code review, [**ARIMLABS.AI**](https://arimlabs.ai) researchers identified that the `browser_use` module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications.  \n\n### Details  \n**File:** `browser_use/browser/context.py`  \n\nThe `BrowserContextConfig` class defines an `allowed_domains` list, which is intended to limit accessible domains. This list is checked in the `_is_url_allowed()` method before navigation:\n\n```python\n@dataclass\nclass BrowserContextConfig:\n    \"\"\"\n    [STRIPPED]\n    \"\"\"\n    cookies_file: str | None = None\n    minimum_wait_page_load_time: float = 0.5\n    wait_for_network_idle_page_load_time: float = 1\n    maximum_wait_page_load_time: float = 5\n    wait_between_actions: float = 1\n\n    disable_security: bool = True\n\n    browser_window_size: BrowserContextWindowSize = field(default_factory=lambda: {\u0027width\u0027: 1280, \u0027height\u0027: 1100})\n    no_viewport: Optional[bool] = None\n\n    save_recording_path: str | None = None\n    save_downloads_path: str | None = None\n    trace_path: str | None = None\n    locale: str | None = None\n    user_agent: str = (\n        \u0027Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\u0027\n    )\n\n    highlight_elements: bool = True\n    viewport_expansion: int = 500\n    allowed_domains: list[str] | None = None\n    include_dynamic_attributes: bool = True\n\n    _force_keep_context_alive: bool = False\n```\nThe _is_url_allowed() method is responsible for checking whether a given URL is permitted:\n```python\ndef _is_url_allowed(self, url: str) -\u003e bool:\n    \"\"\"Check if a URL is allowed based on the whitelist configuration.\"\"\"\n    if not self.config.allowed_domains:\n        return True\n\n    try:\n        from urllib.parse import urlparse\n\n        parsed_url = urlparse(url)\n        domain = parsed_url.netloc.lower()\n\n        # Remove port number if present\n        if \u0027:\u0027 in domain:\n            domain = domain.split(\u0027:\u0027)[0]\n\n        # Check if domain matches any allowed domain pattern\n        return any(\n            domain == allowed_domain.lower() or domain.endswith(\u0027.\u0027 + allowed_domain.lower())\n            for allowed_domain in self.config.allowed_domains\n        )\n    except Exception as e:\n        logger.error(f\u0027Error checking URL allowlist: {str(e)}\u0027)\n        return False\n```\nThe core issue stems from the line `domain = domain.split(\u0027:\u0027)[0]`, which allows an attacker to manipulate basic authentication credentials by providing a username:password pair. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.\n### Proof of Concept (PoC)\n\nSet allowed_domains to [\u0027example.com\u0027] and use the following URL:\n\nhttps://example.com:pass@localhost:8080\n\nThis allows bypassing all whitelist controls and accessing restricted internal services.\n### Impact\n\n- Affected all users relying on this functionality for security.\n- Potential for unauthorized enumeration of localhost services and internal networks.\n- Ability to bypass domain whitelisting, leading to unauthorized browsing.",
  "id": "GHSA-x39x-9qw5-ghrf",
  "modified": "2025-05-05T18:25:04Z",
  "published": "2025-05-05T18:25:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/browser-use/browser-use/security/advisories/GHSA-x39x-9qw5-ghrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47241"
    },
    {
      "type": "WEB",
      "url": "https://github.com/browser-use/browser-use/pull/1561"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/browser-use/browser-use"
    },
    {
      "type": "WEB",
      "url": "https://github.com/browser-use/browser-use/releases/tag/0.1.45"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.