CVE-2025-47241: 
Python vulnerability analysis and mitigation

CVE-2025-47241 affects the browser-use (aka Browser Use) library versions before 0.1.45, discovered during a manual source code review by ARIMLABS.AI researchers and disclosed on May 3, 2025. The vulnerability involves improper URL parsing of allowed_domains functionality, where the userinfo component in the authority section of URLs could be manipulated to bypass domain restrictions (GitHub Advisory, NVD).

The vulnerability exists in the BrowserContextConfig class within browseruse/browser/context.py. The isurlallowed() method incorrectly handles domain parsing by splitting on ':' character without properly accounting for the userinfo section of the URL. This allows attackers to bypass domain restrictions by placing a whitelisted domain in the username portion of the URL. For example, with allowed_domains set to ['example.com'], an attacker could bypass restrictions using URLs like 'https://example.com:password@malicious.com'. The vulnerability has been assigned a CVSS v3.1 base score of 9.3 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L (GitHub Advisory).

The vulnerability allows attackers to bypass domain whitelisting controls, potentially leading to unauthorized access to internal services and networks. This could result in unauthorized browsing capabilities and the ability to enumerate localhost services. The impact is particularly severe for organizations relying on this functionality for security controls (GitHub Advisory, Security Online).

The vulnerability has been fixed in version 0.1.45 of browser-use. The patch ensures proper validation of URLs by correctly handling the authority component and preventing bypass attempts through userinfo manipulation. Users are strongly recommended to upgrade to version 0.1.45 or later (GitHub Release).