Vulnerability	Vulnerable Version
M Use of Non-Canonical URL Paths for Authorization Decisions browser-use is a Make websites accessible for AI agents Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions through the `_is_url_allowed()` method, that responsible for checking `allowed_domains` list from `BrowserContextConfig` class . An attacker can manipulate basic authentication credentials and access restricted internal services by providing a username: password pair where the username is a whitelisted domain, effectively bypassing the domain check, even though the actual domain remains different. Note: The vulnerability affects all users relying on this functionality for security and allows unauthorized enumeration of localhost services and internal networks. How to fix Use of Non-Canonical URL Paths for Authorization Decisions? Upgrade `browser-use` to version 0.1.45 or higher.	[,0.1.45)

Use of Non-Canonical URL Paths for Authorization Decisions

browser-use is a Make websites accessible for AI agents

Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions through the _is_url_allowed() method, that responsible for checking allowed_domains list from BrowserContextConfig class . An attacker can manipulate basic authentication credentials and access restricted internal services by providing a username: password pair where the username is a whitelisted domain, effectively bypassing the domain check, even though the actual domain remains different.

Note: The vulnerability affects all users relying on this functionality for security and allows unauthorized enumeration of localhost services and internal networks.

How to fix Use of Non-Canonical URL Paths for Authorization Decisions?

Upgrade browser-use to version 0.1.45 or higher.

[,0.1.45)

Go back to all versions of this package