The CVE-2025-1234 vulnerability in Browser Use (v0.1.45 and earlier) allows attackers to bypass `allowed_domains` restrictions by injecting a decoy domain in the HTTP auth username portion of a URL. The flaw occurs due to improper parsing of the authority component in URLs. When validating domains, the application fails to strip the `userinfo` segment (e.g., [email protected]@legit.com), allowing malicious domains to evade allow-list checks. This could lead to SSRF, phishing, or unauthorized data access if exploited.
DailyCVE Form:
Platform: Browser Use
Version: ≤0.1.45
Vulnerability: URL parsing bypass
Severity: Critical
Date: 2025-05-03
What Undercode Say:
Exploit:
import requests url = "http://[email protected]@legit.com" response = requests.get(url, allow_redirects=False)
Protection:
1. Update to Browser Use v0.1.46+.
2. Sanitize URLs by stripping `userinfo`:
function sanitizeUrl(url) {
return url.replace(/^[^@]+@/, '');
}
Analytics:
- Impact: High (SSRF, phishing).
- Attack Complexity: Low (no prerequisites).
- Mitigation: Patch available.
Detection:
grep -r "allowed_domains" /path/to/code
Patch Reference:
- if (domain in allowed_domains) + if (new URL(url).hostname in allowed_domains)
Logging:
import logging
logging.warn(f"Invalid domain attempt: {url}")
Curl Test:
curl -v "http://[email protected]@trusted.com"
WAF Rule:
if ($request_uri ~ "@") { return 403; }
References:
- GHSA-x39x-9qw5-ghrf
- NVD: CVE-2025-1234
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
