CVE-2025-47241: Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL

May 5, 2025

During a manual source code review, ARIMLABS.AI researchers identified that the browser_use module includes an embedded allow list functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications.

References

github.com/advisories/GHSA-x39x-9qw5-ghrf
github.com/browser-use/browser-use
github.com/browser-use/browser-use/pull/1561
github.com/browser-use/browser-use/releases/tag/0.1.45
github.com/browser-use/browser-use/security/advisories/GHSA-x39x-9qw5-ghrf
nvd.nist.gov/vuln/detail/CVE-2025-47241

Code Behaviors & Features

Detect and mitigate CVE-2025-47241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →