Medium severity4.0NVD Advisory· Published May 3, 2025· Updated Apr 15, 2026

CVE-2025-47241

Description

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
browser-usePyPI	< 0.1.45	0.1.45

Patches

2969f4363714

https://github.com/browser-use/browser-usevia osv

cd2fc9178b20

https://github.com/browser-use/browser-usevia osv

PR #1561

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x39x-9qw5-ghrfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-47241ghsaADVISORY
github.com/browser-use/browser-use/pull/1561nvdWEB
github.com/browser-use/browser-use/releases/tag/0.1.45nvdWEB
github.com/browser-use/browser-use/security/advisories/GHSA-x39x-9qw5-ghrfnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000