CVE-2025-47241

CVE-2025-47241 is a critical-severity security vulnerability in browser-use (pip), affecting versions <= 0.1.44. It is fixed in 0.1.45.

Summary

During a manual source code review, ARIMLABS.AI researchers identified that the browser_use module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications.

Details

File: browser_use/browser/context.py

The BrowserContextConfig class defines an allowed_domains list, which is intended to limit accessible domains. This list is checked in the _is_url_allowed() method before navigation:

@dataclass
class BrowserContextConfig:
    """
    [STRIPPED]
    """
    cookies_file: str | None = None
    minimum_wait_page_load_time: float = 0.5
    wait_for_network_idle_page_load_time: float = 1
    maximum_wait_page_load_time: float = 5
    wait_between_actions: float = 1

    disable_security: bool = True

    browser_window_size: BrowserContextWindowSize = field(default_factory=lambda: {'width': 1280, 'height': 1100})
    no_viewport: Optional[bool] = None

    save_recording_path: str | None = None
    save_downloads_path: str | None = None
    trace_path: str | None = None
    locale: str | None = None
    user_agent: str = (
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'
    )

    highlight_elements: bool = True
    viewport_expansion: int = 500
    allowed_domains: list[str] | None = None
    include_dynamic_attributes: bool = True

    _force_keep_context_alive: bool = False

The _is_url_allowed() method is responsible for checking whether a given URL is permitted:

def _is_url_allowed(self, url: str) -> bool:
    """Check if a URL is allowed based on the whitelist configuration."""
    if not self.config.allowed_domains:
        return True

    try:
        from urllib.parse import urlparse

        parsed_url = urlparse(url)
        domain = parsed_url.netloc.lower()

        # Remove port number if present
        if ':' in domain:
            domain = domain.split(':')[0]

        # Check if domain matches any allowed domain pattern
        return any(
            domain == allowed_domain.lower() or domain.endswith('.' + allowed_domain.lower())
            for allowed_domain in self.config.allowed_domains
        )
    except Exception as e:
        logger.error(f'Error checking URL allowlist: {str(e)}')
        return False

The core issue stems from the line domain = domain.split(':')[0], which allows an attacker to manipulate basic authentication credentials by providing a username:password pair. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.

Proof of Concept (PoC)

Set allowed_domains to ['example.com'] and use the following URL:

https://example.com:pass@localhost:8080

This allows bypassing all whitelist controls and accessing restricted internal services.

Impact

  • Affected all users relying on this functionality for security.
  • Potential for unauthorized enumeration of localhost services and internal networks.
  • Ability to bypass domain whitelisting, leading to unauthorized browsing.

CVE-2025-47241 has a CVSS score of 9.3 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.1.45); upgrading removes the vulnerable code path.

Affected versions

browser-use (<= 0.1.44)

Security releases

browser-use → 0.1.45 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade browser-use to 0.1.45 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-47241? CVE-2025-47241 is a critical-severity security vulnerability in browser-use (pip), affecting versions <= 0.1.44. It is fixed in 0.1.45.
  2. How severe is CVE-2025-47241? CVE-2025-47241 has a CVSS score of 9.3 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of browser-use are affected by CVE-2025-47241? browser-use (pip) versions <= 0.1.44 is affected.
  4. Is there a fix for CVE-2025-47241? Yes. CVE-2025-47241 is fixed in 0.1.45. Upgrade to this version or later.
  5. Is CVE-2025-47241 exploitable, and should I be worried? Whether CVE-2025-47241 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-47241 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-47241? Upgrade browser-use to 0.1.45 or later.

Other vulnerabilities in browser-use

Stop the waste.
Protect your environment with Kodem.