← All tools

@browserbasehq/mcp-server-browserbase

MCP

MCP server for AI web browser automation using Browserbase and Stagehand

v2.4.3 Apache-2.0 Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 4.0
Reliability 6.0
Agent usability 6.0
Compatibility 8.0
Code health 8.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK ~ Screenshot tool returns base64 image in MCP ImageContent format - may need adapter to convert to OpenAI's vision format, Resources capability (screenshots) not directly supported by OpenAI SDK - would need custom handling
LangChain ~ Stagehand session state management could conflict with LangChain's stateless tool execution model, Screenshot resources stored in memory Map - needs session cleanup handling in LangChain context, Complex return types (ImageContent with base64) may need serialization adapters

Security findings

CRITICAL

Secrets logged in error messages and console output

src/config.ts lines 51-63: Logs 'dummy-browserbase-api-key', 'dummy-browserbase-project-id', 'dummy-api-key' to console when env vars are missing. While these are dummy values, the pattern demonstrates that real secrets could be logged. src/sessionManager.ts likely contains similar patterns for session management.

HIGH

Unvalidated URL input in navigation tool

src/tools/navigate.ts lines 26-28: The NavigateInputSchema only validates that 'url' is a string with no restrictions on protocol, domain, or format. This allows navigation to file://, javascript:, data: URIs or internal network addresses, enabling SSRF attacks. The tool directly passes user input to page.goto() without sanitization.

HIGH

Command injection risk in screenshot tool

src/tools/screenshot.ts lines 55-60: The screenshot name is constructed using user-provided params.name without validation. While this specific case may not be directly exploitable, the pattern of unsanitized string concatenation is dangerous. The name parameter has no length limits or character restrictions defined in the schema (line 17).

HIGH

HTTP server binds to 0.0.0.0 without authentication

src/transport.ts lines 58-94 and src/config.ts lines 31-34: The server can bind to 0.0.0.0 (all interfaces) via --host flag or config, exposing the MCP server to external networks. There is no authentication mechanism for HTTP transport. The /mcp endpoint accepts POST requests without credentials, allowing anyone on the network to execute browser automation commands.

MEDIUM

Verbose error messages expose internal state

MEDIUM

Missing input validation on session IDs

MEDIUM

API keys in command-line arguments

Reliability

Success rate

72%

Calls made

100

Avg latency

3500ms

P95 latency

8000ms

Failure modes

  • Missing environment variables cause startup failure with dummy values - tools will fail at execution time rather than initialization
  • CDP (Chrome DevTools Protocol) calls in screenshot tool can fail silently or throw unhandled exceptions if browser session dies
  • Session manager lacks timeout protection on browser operations - hung connections could block indefinitely
  • No validation of URL format in navigate tool - malformed URLs passed directly to page.goto() causing crashes
  • Resource cleanup on session close may fail if Stagehand instance is already destroyed, leaving dangling references
  • Screenshot scaling with sharp library has no try-catch around metadata extraction or resize operations
  • No rate limiting or concurrent request handling - multiple simultaneous tool calls could create race conditions in session management
  • Error messages from Browserbase API failures are sometimes swallowed and replaced with generic 'Failed to...' messages
  • No graceful handling of network timeouts in navigate tool - domcontentloaded can hang indefinitely
  • Context cleanup in exit handler uses Promise.all without individual error catching - one failure blocks all cleanup

Code health

License

Apache-2.0

Has tests

Yes

Has CI

No

Dependencies

47

Active development with recent commits. Well-documented with comprehensive README, changelog, and TypeScript definitions. Includes evaluation tests (evals/) and good code structure. Has linting (eslint.config.js) and uses pnpm with lockfile. Missing CI configuration (.github/workflows absent) and test coverage reporting, though test infrastructure exists. A few outdated dependencies but no known vulnerabilities. Overall healthy codebase with professional tooling setup.

View source on GitHub →