GHSA-f54f-hr32-586f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f54f-hr32-586f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-f54f-hr32-586f/GHSA-f54f-hr32-586f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f54f-hr32-586f
- Withdrawn
- 2025-05-05T18:24:47Z
- Published
- 2025-05-03T21:30:23Z
- Modified
- 2025-05-05T18:58:21.228998Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L CVSS Calculator
- Summary
- Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-x39x-9qw5-ghrf. This link is maintained to preserve external references.
Original Description
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.
- Database specific
{ "nvd_published_at": "2025-05-03T21:15:48Z", "cwe_ids": [ "CWE-647" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-05T18:24:47Z" }- References
Affected packages
PyPI / browser-use
Package
- Name
- browser-use
- View open source insights on deps.dev
- Purl
- pkg:pypi/browser-use
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.1.45
Affected versions
0.*
0.1.0
0.1.1
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.30
0.1.31
0.1.32
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.39
0.1.40
0.1.41
0.1.42
0.1.43