Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10607

browser-use is vulnerable to Authorization Bypass Through User-Controlled Key

Authorization Bypass Through User-Controlled Key Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Sep 9, 2025

75

High Risk

This Affects:

pythonbrowser-use
0.1.0 - 0.1.40
Fixed in 0.1.41
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Authorization Bypass due to an insecure default configuration where the disable_security flag was set to True, which disables key browser security features like Same-Origin Policy and Content Security Policy (CSP). An attacker could exploit this by tricking a user into visiting a malicious webpage, which could then execute arbitrary commands on the machine by abusing the exposed Chrome DevTools Protocol (CDP) connection, potentially leading to a complete compromise of the system.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

browser-use is vulnerable to Authorization Bypass Through User-Controlled Key in versions 0.1.0 - 0.1.40.

How to fix this

Upgrade the browser-use library to the patch version or explicitly set disable_security to False.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done