Browser Use Desktop Agent Security Risks

Browser Agents github.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (3) ATTACK SURFACE (6.32) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.2
High
Attack Surface
6.32
High
Blast Radius
7.63
Critical
Defense Controls
3
Critical
About The Agent

Browser Use Desktop is an Electron-based desktop application that runs autonomous browser agents on the operator's local machine. The agent daemon runs as a persistent Unix socket server managing a Chromium browser instance, a sandboxed JavaScript and Python code executor, and cookie porting that imports the operator's Chrome authenticated sessions. A WhatsApp inbound channel enables remote session triggers. The primary risk surface is the unfiltered ingestion of web page content into the LLM reasoning loop combined with unrestricted outbound browser access carrying ported authentication cookies.

About the AI Risk Quadrant

Exposed Giants placement reflects Browser Use Desktop's combination of a high attack surface driven by unfiltered web content ingestion and a confirmed domain whitelist bypass, a high blast radius anchored by Chrome cookie porting that grants access to every authenticated session the operator holds, and minimal vendor-implemented defense controls. Input guardrails and action approval gates are absent from the default configuration, and execution isolation is limited to a code sandbox that does not constrain the browser or the host-level agent process. Operators must implement their own input filtering, action gating, and monitoring before deploying.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Browser Use Desktop presents broad unfiltered input surfaces, absent approval gates, and minimal monitoring on its default configuration, placing hardening responsibility entirely on the operator.

Key Input Risks
The agent ingests raw HTML from visited web pages and WhatsApp messages without input validation or prompt shielding. Independent research demonstrated prompt injection success rates between 46% and 87% against the browser-use library across multiple independent studies.
Key Execution Risks
Browser Use Desktop executes JavaScript and Python in a sandboxed interpreter with blocked imports, while browser automation runs with full user-level privileges on the host. White-box analysis confirmed credential exfiltration through browser actions, a pickle deserialization RCE was demonstrated in the companion web-ui project [7], and a command injection vulnerability was patched.
Key Action Risks
The agent executes browser navigation, form submission, and DOM interaction autonomously with no per-action approval gates on the default configuration. Cookie porting from Chrome means every autonomous action carries the operator's full authenticated context across email, banking, and enterprise applications.
Key Output Risks
Output guardrails are limited to secret scrubbing that redacts API keys, tokens, and passwords from structured logs. No data loss prevention or exfiltration channel blocking is documented, leaving the browser as an unrestricted channel for agent-generated outbound traffic.
Key Monitoring Risks
The agent writes structured JSON-line logs with timestamps and component context, and includes crash telemetry for unhandled rejections. No SIEM integration, behavioral anomaly detection, or active alerting is documented, leaving concurrent-session anomalies invisible to the operator.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Browser Use Desktop scores reflect a broad attack surface with minimal vendor-implemented defenses against a high-capability agent running on the operator's own host.

AIRQ Metrics

Browser Use Desktop lands in the Exposed Giants quadrant with attack surface at 6.32, blast radius at 7.63, and defense controls at 3 of 15.

Attack surface and blast radius are each scored out of 10, defense controls out of 15, and the AIRQ composite integrates all three into a single readiness indicator.

Metric Score Comments
AIRQ Score 5.2 A low composite score driven primarily by minimal vendor-implemented defenses, indicating that hardening is operator-dependent for any production deployment.
Blast Radius 7.63 / 10 Cookie-ported credential access and unrestricted network egress through the browser drive the blast radius, offset only by the absence of deployment tooling.
Attack Surface 6.32 / 10 External data ingestion and configuration each reach near-ceiling adjusted scores, with all three trifecta conditions met.
Defense Controls 3 / 15 The vendor ships a code sandbox and secret scrubbing but no input guardrails, no action approval gates, and no centralized monitoring.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Browser Use Desktop's reasoning loop ingests untrusted web page content, operator-ported cookies, and WhatsApp messages through a daemon-managed Chromium instance with no input filtering.

Attack Surface Metrics

Higher scores indicate greater exposure of the reasoning loop to untrusted content, with external data and configuration reaching near-ceiling due to confirmed bypass vulnerabilities.

Each row names an attack surface, its adjusted score out of five, and the evidence anchoring the assessed exposure level.

Surface Score Comments
User Input 4 / 4 Desktop GUI, global keyboard shortcut, and WhatsApp inbound channel accept unvalidated input; independent research measured injection success rates between 46% and 87% [5][6][13].
External Data 5 / 4 Web page HTML is appended to the LLM prompt without sanitization [4], and CVE-2025-47241 demonstrated domain whitelist bypass allowing navigation to unauthorized sources [1].
Memory 1 / 4 Session-level context only with no cross-session persistent memory; cookie porting provides authentication persistence but not a poisonable memory store [8].
Reasoning 3 / 4 Model-agnostic architecture delegates reasoning to interchangeable LLM providers with no documented chain-of-thought visibility or reasoning constraint enforcement [8].
Planning 3 / 4 Autonomous task decomposition with multi-agent team delegation and no documented plan approval gates on the default configuration [8].
Tool Execution 3 / 4 Browser automation, sandboxed code execution, and file system access run with user-level privileges; a command injection was patched in the vendor codebase [14].
Orchestration 3 / 4 The agent daemon runs as a Unix socket server supporting headless operation, lifecycle event hooks, and concurrent multi-agent sessions [8].
Inter-Agent 1 / 4 Multi-agent team support is managed through the daemon with no external agent ecosystem connectivity or inter-agent authentication documented [8].
Output Processing 3 / 4 Secret scrubbing redacts API keys, tokens, and passwords from logs, but no exfiltration channel blocking or outbound URL sanitization is in place [8].
Configuration 4.5 / 4 CVE-2025-47241 demonstrated domain whitelist bypass [1][2], the init command fetches unverified templates [3], and litellm was removed after a supply chain incident [10].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Browser Use Desktop reads untrusted web page content, accesses every authenticated session the operator holds through Chrome cookie porting, and transmits outbound through an unrestricted Chromium browser.

Lethal Trifecta · Complete (3 of 3)

Browser Use Desktop exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Web page HTML from every visited site and WhatsApp messages from external parties feed directly into the LLM reasoning loop without sanitization [4].
  • Sensitive data — Chrome cookie porting gives the agent access to all authenticated sessions including email, banking, and enterprise applications [8][11].
  • External egress — Unrestricted outbound access through the Chromium browser allows navigation, form submission, and data transfer to any destination [1].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Browser Use Desktop agent reaches the operator's full authenticated browser context, home directory file system, and unrestricted network, with no deployment-specific tooling.

Blast Radius Metrics

Higher scores indicate broader reach from a compromised agent session, with credential access and network egress at ceiling due to cookie porting and unrestricted browsing.

Each row maps a blast factor to its score and the evidence anchoring the assessed scope of damage from a successful agent compromise.

Factor Score Comments
Code execution 3 / 4 Sandboxed JavaScript and Python execution with blocked imports and safe builtins, but the agent process runs with user-level privileges on the host [8][9].
File system access 3 / 4 The Electron application inherits home directory access, reads from the Chrome profile for cookie porting, and persists agent settings on the host file system [8].
Network access 4 / 4 Unrestricted outbound network access through Chromium with no domain restrictions; CVE-2025-47241 proved the whitelist bypass eliminates the only documented constraint [1].
Credential access 4 / 4 Cookie porting from Chrome gives the agent every authenticated web session the operator holds, and API keys are stored in the system Keychain [8].
Autonomous action 3 / 4 Browser actions execute autonomously once a task is assigned, with no per-action approval gates; configurable step and token budgets provide the only indirect brake on action chains [8].
Deployment access 1 / 4 No dedicated deployment tools are documented; the agent could access deployment dashboards through browser cookie porting, but this is generic browser access [8].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Browser Use Desktop ships a code sandbox and basic log scrubbing on the default configuration, with input guardrails, action approval, and centralized monitoring absent or operator-managed.

Defense Controls Metrics

Higher scores indicate stronger vendor-implemented safeguards; most components score at or near the floor, reflecting minimal built-in protections on the default configuration.

Each row scores a defense component from zero to three based on the vendor-implemented default posture.

Component Score Comments
Input Guardrails 0 / 3 No prompt shield, injection detection, or input validation is documented; web page HTML reaches the reasoning loop unfiltered as confirmed by independent analysis [4][12].
Execution Isolation 1 / 3 A code sandbox limits scripted code to safe builtins with dangerous imports blocked, but the agent process and browser run unrestricted on the host [9].
Action Controls 0 / 3 No approval gates, permission model, or action-level authorization documented; budget enforcement through step and token limits is the only indirect constraint [8].
Output Guardrails 1 / 3 Secret scrubbing covers API keys, tokens, and passwords in log output, but no data loss prevention or exfiltration blocking is documented for browser actions [8].
Monitoring 1 / 3 Structured JSON-line logging with crash telemetry is documented, but no SIEM integration, anomaly detection, or active alerting is in place [8].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by deploying input filtering, restricting cookie porting scope, and gating autonomous browser actions before production use.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all agent sessions initiated through the WhatsApp channel to pass through an approval workflow before the daemon spawns the browser agent.
  • Configuration Configure a local proxy between the Chromium instance and the network to strip HTML content matching known injection patterns before it reaches the prompt.
  • Engineering Deploy an inline prompt injection classifier that inspects page content before the browser-use library appends it to the LLM context.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Establish a policy requiring the agent daemon to run inside a container or virtual machine rather than directly on the operator's host.
  • Configuration Configure the Electron application to launch with restricted file system permissions, limiting access to a dedicated working directory.
  • Engineering Wrap the agent process in an OS-level sandbox such as macOS Seatbelt or Linux Bubblewrap to enforce capability and network restrictions.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Define a policy requiring human approval for any browser action that submits forms, initiates downloads, or navigates outside an operator-maintained allowlist.
  • Configuration Configure step and token budget limits to the minimum viable threshold for the intended task scope, reducing the autonomous action window.
  • Engineering Implement a pre-action hook in the agent daemon that classifies each pending browser action against an operator-defined risk policy before execution.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a data handling policy classifying which authenticated sessions may be accessed through cookie porting and blocking high-sensitivity cookie categories.
  • Configuration Configure secret scrubbing rules to extend beyond API keys to cover session cookies, OAuth tokens, and operator-defined sensitive data patterns.
  • Engineering Deploy a network-level data loss prevention proxy inspecting all outbound browser traffic for patterns matching sensitive organizational data.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require all agent daemon logs to be forwarded to the organization's SIEM within a defined retention and alerting policy.
  • Configuration Configure structured logging to include full browser action traces with URL destinations, form field names, and cookie domains accessed per session.
  • Engineering Build automated anomaly detection rules that flag sessions with unusual domain navigation, credential submission, or bulk data transfer patterns.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-47241 NVD CVSS 4.0; domain whitelist bypass via URL userinfo parsing; patched in browser-use 0.1.45
  2. GHSA-x39x-9qw5-ghrf GitHub Security Advisory critical; CVE-2025-47241; discovered by ARIMLABS.AI
  3. Supply chain risk in init command Unverified template fetching from GitHub without integrity checks or pinned commits

Selected Research

  1. The Hidden Dangers of Browsing AI Agents White-box security analysis with working PoC against browser-use; prompt injection and credential exfiltration
  2. Mind the Web: Security of Web Use Agents Task-aligned injection attacks against five web agents including Browser Use; 66.6% overall ASR
  3. Web agent security survey Multi-agent evaluation; Browser Use tested with 46-87% ASR across attack scenarios
  4. Kudelski Security browser-use/web-ui RCE Pickle deserialization RCE in browser-use/web-ui companion project; same vendor organization

Vendor Documentation

  1. Browser Use Desktop repository Official GitHub repository; architecture, changelog, and feature documentation
  2. Secure Agent Sandbox Infrastructure Vendor blog; Pattern 2 sandbox architecture with isolated agent and control plane
  3. browser-use 0.12.5 release notes litellm supply chain removal after backdoored versions 1.82.7-1.82.8 discovered

Other Sources

  1. CSA Computer-Use Agent Safety Blind Spots References CVE-2025-47241; discusses browser agent indirect prompt injection chain
  2. Anthropic prompt injection in browser use Anthropic research on mitigating prompt injection defenses in browser agent context
  3. GHSA-6jc4-v4m9-6hq9 reference issue References withdrawn GHSA for prompt injection in browser-use; zero-trust policy fix discussed
  4. Command injection fix in ad_generator.py Critical command injection via subprocess.run with user-controlled file paths; patched