mcp-server-browserbase

Allow LLMs to control a browser with Browserbase and Stagehand

Repository⭐ 2595 starsLast scanned: 9/20/2025

4/10

MEDIUM RISK

Threat Matrix - SAFE-MCP Framework

Initial Access

ATK-TA0001

4/10

SAFE-T1102Prompt Injection

Execution

ATK-TA0002

7/10

Persistence

ATK-TA0003

No techniques detected

Privilege Escalation

ATK-TA0004

3/10

Defense Evasion

ATK-TA0005

2/10

Credential Access

ATK-TA0006

1/10

Discovery

ATK-TA0007

2/10

Lateral Movement

ATK-TA0008

No techniques detected

Collection

ATK-TA0009

3/10

Command & Control

ATK-TA0011

No techniques detected

Exfiltration

ATK-TA0010

3/10

Impact

ATK-TA0040

7/10

SAFE-T1001Tool Poisoning

Risk Levels:

Critical (7-10)

High (5-6)

Medium (3-4)

Low (1-2)

2 techniques detected across 2 tactics

AI-Enhanced Risk Scenarios

Executive Summary

The security analysis of the mcp-server-browserbase repository reveals significant risks primarily due to network exposure and outdated dependencies. The most critical scenario involves remote command execution via an unsecured SHTTP endpoint, which could lead to complete server compromise. Mitigations should focus on securing network configurations and updating dependencies to prevent exploitation.

Overall Risk: HIGH

Critical Attack Paths (3)

Remote Command Execution via Exposed SHTTP Endpoint

high likelihoodmajor impact

1.Attacker scans the network to identify open SHTTP endpoints.

2.Discovers the MCP server bound to '0.0.0.0' allowing external connections.

+2 more steps

Unauthorized Access via Hardcoded API Keys

medium likelihoodmoderate impact

1.Attacker gains access to the repository or configuration files.

2.Finds hardcoded API keys in 'mcp-eval-basic.config.json'.

+2 more steps

Exploitation of Outdated Playwright-core Dependency

medium likelihoodmoderate impact

1.Attacker identifies the outdated Playwright-core version in 'package.json'.

2.Researches known vulnerabilities in the specific version.

+2 more steps

Prioritized Mitigations

undefinedimmediate

undefinedhigh

Critical

High

Medium

Low

Outdated Playwright-core DependencyMEDIUM

The project uses playwright-core version 1.53.2, which is several versions behind the latest. Older versions may contain known security vulnerabilities.

Hardcoded API Keys in Evaluation ConfigurationsLOW

The evaluation configurations (mcp-eval-basic.config.json, mcp-eval-minimal.config.json, mcp-eval.config.json) use environment variables to pass API keys, but the Github CI workflow file shows those keys are required. If the keys are not set, the evaluation will fail, but the server itself is not vulnerable. However, if the keys are accidentally committed, it could lead to unauthorized access.

Unsecured SHTTP Transport ConfigurationHIGH

The server configuration allows specifying a host other than localhost for the SHTTP transport. Binding to '0.0.0.0' exposes the server to external connections without proper security measures, potentially allowing unauthorized access and control.