AIKIDO-2026-10966
browser-use is vulnerable to Path Traversal
87
High Risk
This Affects:
browser-useTL;DR
The browser-use agent's DownloadsWatchdog joins attacker-controlled download filenames from CDP events and HTTP response headers directly into the configured downloads directory, allowing arbitrary file writes outside that directory when the agent visits a malicious site. The upload_file action can resolve agent-supplied paths outside the agent FileSystem directory and expose local file contents to targeted browser uploads. With block_ip_addresses enabled, non-canonical IPv4 host forms bypass IP blocking, the MCP retry_with_browser_use_agent tool can silently disable configured domain allowlists, and the CLI daemon socket accepted unauthenticated local connections that could dispatch arbitrary Python code. Version 0.12.7 sanitizes download paths, contains uploads, canonicalizes blocked IP forms, preserves MCP allowlist defaults, and requires per-session daemon auth tokens.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
browser-use is vulnerable to Path Traversal in versions 0.7.0 - 0.12.6.
How to fix this
Upgrade the browser-use library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant