In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.
{ "versions": [ { "introduced": "0" }, { "fixed": "0.1.45" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47241.json"