0.13.0
3 months ago
7 days ago
Known vulnerabilities in the @n8n/mcp-browser package. This does not include vulnerabilities belonging to this package’s dependencies.
Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
@n8n/mcp-browser is a Browser automation MCP tools built on Playwright, WebDriver BiDi, and safaridriver Affected versions of this package are vulnerable to Missing Authentication for Critical Function through the MCP server’s HTTP request handling. An attacker can take over a user’s browser session by sending requests to the MCP endpoint and invoking browser tools without presenting any credentials. When the extension is installed and the browser connection is active, a network-reachable client or a website the user visits can reach the HTTP listener and use the real browser profile to navigate, run JavaScript, and read cookies and storage. This exposes browser state and allows the attacker to act using the user’s browser capabilities. Notes
Workarounds
How to fix Missing Authentication for Critical Function? Upgrade | <0.8.1>=0.9.0 <0.9.1 |