Critical Vulnerability Information Vulnerability Description Vulnerability Type: The restriction can be bypassed by placing a spoofed domain in the HTTP authentication username portion of a URL. Affected Versions: <= 0.1.45 Fixed Version: 0.1.45 Vulnerability Details File: browser_use/browser/context.py Class: BrowserContextConfig Method: Issue: A logical flaw exists in the URL allowance check. The code allows attackers to manipulate basic authentication credentials by providing a username:password pair, thereby bypassing whitelist controls. Impact All users relying on this feature for security protection are affected. Potential Risks: - Unauthorized enumeration of local host services and internal network resources. - Bypassing domain whitelists, leading to unauthorized browsing. Proof of Concept (PoC) Setup: Allowed domains configured as ['example.com'] URL: https://example.com:pass@localhost:8080 Effect: Successfully bypasses all whitelist controls and accesses restricted internal services. CVSS Score Severity: Critical (9.3/10) Attack Vector: Network Attack Complexity: Low Required Privileges: None User Interaction: None Scope: Changed Confidentiality Impact: High Integrity Impact: None Availability Impact: Low CVE ID CVE-2025-47241 Discoverers mmudryi markiyanch