@n8n/mcp-browser@0.9.0

Browser automation MCP tools built on Playwright, WebDriver BiDi, and safaridriver

  • latest version

    0.13.0

  • latest non vulnerable version

  • first published

    3 months ago

  • latest version published

    7 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @n8n/mcp-browser package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Missing Authentication for Critical Function

    @n8n/mcp-browser is a Browser automation MCP tools built on Playwright, WebDriver BiDi, and safaridriver

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function through the MCP server’s HTTP request handling. An attacker can take over a user’s browser session by sending requests to the MCP endpoint and invoking browser tools without presenting any credentials. When the extension is installed and the browser connection is active, a network-reachable client or a website the user visits can reach the HTTP listener and use the real browser profile to navigate, run JavaScript, and read cookies and storage. This exposes browser state and allows the attacker to act using the user’s browser capabilities.

    Notes

    • The issue is limited to @n8n/mcp-browser when it is started in HTTP transport mode; the default stdio transport is not part of the vulnerable path.

    Workarounds

    • Avoid running @n8n/mcp-browser with --transport http; use the default stdio transport instead to prevent unauthenticated network or website access to browser-control sessions.
    • If you must use HTTP transport, restrict the listening port to trusted clients only with host-based firewall rules to block untrusted network access to the MCP endpoint.

    How to fix Missing Authentication for Critical Function?

    Upgrade @n8n/mcp-browser to version 0.8.1, 0.9.1 or higher.

    <0.8.1>=0.9.0 <0.9.1