GHSA-f54f-hr32-586f: Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL

May 3, 2025 (updated May 5, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-x39x-9qw5-ghrf. This link is maintained to preserve external references.

Original Description

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.

References

github.com/advisories/GHSA-f54f-hr32-586f
github.com/browser-use/browser-use
github.com/browser-use/browser-use/pull/1561
github.com/browser-use/browser-use/releases/tag/0.1.45
github.com/browser-use/browser-use/security/advisories/GHSA-x39x-9qw5-ghrf
nvd.nist.gov/vuln/detail/CVE-2025-47241

Code Behaviors & Features

Detect and mitigate GHSA-f54f-hr32-586f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →