16 matches found
Atomicity for Agents: Exposing, Exploiting, and Mitigating TOCTOU Vulnerabilities in Browser-Use Agents
Browser-use agents are widely used for everyday tasks. They enable automated interaction with web pages through structured DOM based interfaces or vision language models operating on page screenshots. However, web pages often change between planning and execution, causing agents to execute action...
EUVD-2025-13352
Malicious code in bioql PyPI...
Access Control Bypass
Overview browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Access Control Bypass via the searchgoogle and gotourl functions, which fail to enforce domain restrictions by using direct page.goto calls instead of the validated...
VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents
Computer-Use Agents CUAs with full system access enable powerful task automation but pose significant security and privacy risks due to their ability to manipulate files, access user data, and execute arbitrary commands. While prior work has focused on browser-based agents and HTML-level attacks,...
Use of Non-Canonical URL Paths for Authorization Decisions
Overview browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions through the isurlallowed method, that responsible for checking alloweddomains list from BrowserContextConfig class . An...
GHSA-X39X-9QW5-GHRF Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL
Summary During a manual source code review, ARIMLABS.AI researchers identified that the browseruse module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can...
CVE-2025-47241
In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be placed in the authority component...
GHSA-F54F-HR32-586F Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-x39x-9qw5-ghrf. This link is maintained to preserve external references. Original Description In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be...
CVE-2025-47241
In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be placed in the authority component...
CVE-2025-47241
In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be placed in the authority component...
Browser Use 安全漏洞
Browser Use is an open source application from Browser Use. Allows AI agents to access websites. A security vulnerability exists in versions of Browser Use prior to 0.1.45 that stems from improper URL parsing of alloweddomains, which could lead to user information being placed in the authorizatio...
CVE-2025-47241
CVE-2025-47241 affects the browser-use (Browser Use) project prior to 0.1.45. The root cause is incorrect handling of userinfo in the authority component during URL parsing of allowed_domains in BrowserContextConfig._is_url_allowed(): the code strips the port from netloc with domain.split(':')[0]...
CVE-2025-47241
In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be placed in the authority component...
Authorization Bypass Through User-Controlled Key
Overview browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to the default settings disablesecurity=True and --remote-debugging-address=0.0.0.0. A remote attacker can execute arbitrary...
Access Control Bypass
Overview browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Access Control Bypass via the server's configuration, an attacker can access the debug port, which was inadvertently exposed on all network interfaces. Remediation Upgrade...
Important: Red Hat Security Advisory: thunderbird security update
An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...