CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4218: handrew browserpilot gpt_selenium_agent.py GPTSeleniumAgent code injection

5.3 CVSS

Description

A vulnerability was found in handrew browserpilot up to 0.2.51. It has been declared as critical. Affected by this vulnerability is the function GPTSeleniumAgent of the file browserpilot/browserpilot/agents/gpt_selenium_agent.py. The manipulation of the argument instructions leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. In handrew browserpilot bis 0.2.51 wurde eine kritische Schwachstelle ausgemacht. Es geht um die Funktion GPTSeleniumAgent der Datei browserpilot/browserpilot/agents/gpt_selenium_agent.py. Durch das Beeinflussen des Arguments instructions mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2025-4218

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem Types

Code Injection Injection

Affected Products

Vendor: handrew

Product: browserpilot

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.62% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4218
https://vuldb.com/?id.307195
https://vuldb.com/?ctiid.307195
https://vuldb.com/?submit.562383
https://github.com/handrew/browserpilot/issues/20
https://github.com/handrew/browserpilot/issues/20#issue-2999815850

Timeline

2025-05-02 21:40:19 UTC
CVE

handrew browserpilot gpt_selenium_agent.py GPTSeleniumAgent code injection