GHSA-f54f-hr32-586f

Опубликовано: 03 мая 2025

Источник: github

Github: Прошло ревью

CVSS3: 9.3

Описание

Duplicate Advisory: allowed_domains can be bypassed by putting a decoy domain in http auth username portion of a URL

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-x39x-9qw5-ghrf. This link is maintained to preserve external references.

Original Description

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.

Ссылки

https://github.com/browser-use/browser-use/security/advisories/GHSA-x39x-9qw5-ghrf
https://nvd.nist.gov/vuln/detail/CVE-2025-47241
https://github.com/browser-use/browser-use/pull/1561
https://github.com/browser-use/browser-use/releases/tag/0.1.45

Пакеты

Наименование

browser-use

pip

Затронутые версииВерсия исправления

<= 0.1.44

0.1.45

9.3 Critical

CVSS3

Дефекты

CWE-647

9.3 Critical

CVSS3

Дефекты

CWE-647