mcp-server-browserbase

Allow LLMs to control a browser with Browserbase and Stagehand

Repository⭐ 2580 starsLast scanned: 9/15/2025

4/10

MEDIUM RISK

Threat Matrix - SAFE-MCP Framework

Initial Access

ATK-TA0001

3/10

SAFE-T1102Prompt Injection

Execution

ATK-TA0002

5/10

Persistence

ATK-TA0003

1/10

Privilege Escalation

ATK-TA0004

2/10

Defense Evasion

ATK-TA0005

4/10

Credential Access

ATK-TA0006

1/10

Discovery

ATK-TA0007

3/10

Lateral Movement

ATK-TA0008

1/10

Collection

ATK-TA0009

2/10

Command & Control

ATK-TA0011

3/10

Exfiltration

ATK-TA0010

2/10

Impact

ATK-TA0040

5/10

SAFE-T1001Tool Poisoning

Risk Levels:

Critical (7-10)

High (5-6)

Medium (3-4)

Low (1-2)

2 techniques detected across 2 tactics

AI-Enhanced Risk Scenarios

Executive Summary

The security analysis of the mcp-server-browserbase repository reveals several vulnerabilities that could lead to unauthorized access, data interception, and service disruption. The most critical scenario involves the manipulation of environment variables, which could allow attackers to gain unauthorized access to sensitive resources. Mitigations should focus on securing environment variables, enforcing HTTPS, and implementing input validation.

Overall Risk: MEDIUM

Critical Attack Paths (3)

Unauthorized Access via Manipulated Environment Variables

medium likelihoodmajor impact

1.Attacker gains access to the server environment via compromised credentials or insider threat.

2.Attacker modifies environment variables such as BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in src/config.ts.

+2 more steps

Data Interception via Insecure HTTP Transport

high likelihoodmoderate impact

1.Attacker positions themselves on the same network as the target server.

2.Attacker intercepts HTTP traffic between the MCP server and clients using tools like Wireshark.

+2 more steps

Denial of Service via Unvalidated Input in Observe Tool

medium likelihoodminor impact

1.Attacker crafts a malicious input for the `instruction` parameter in src/tools/observe.ts.

2.Malicious input is passed to Stagehand's `page.observe` function without validation.

+1 more steps

Prioritized Mitigations

undefinedimmediate

undefinedhigh

undefinedmedium

Critical

High

Medium

Low

Unvalidated API Key UsageHIGH

The application relies on environment variables for API keys (BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID, ANTHROPIC_API_KEY, GEMINI_API_KEY) without proper validation. An attacker could potentially manipulate these variables to gain unauthorized access or disrupt service.

Insecure HTTP TransportMEDIUM

The application supports HTTP transport for MCP, which is vulnerable to eavesdropping and man-in-the-middle attacks. Sensitive data transmitted over HTTP could be intercepted.

Lack of Input Validation in Observe ToolLOW

The `observe` tool accepts an `instruction` parameter from the user, which is directly passed to Stagehand's `page.observe` function. Insufficient input validation on this parameter could lead to unexpected behavior or errors.