Atomicity for Agents: Exposing, Exploiting, and Mitigating TOCTOU Vulnerabilities in Browser-Use Agents
This addresses a security and reliability issue for users of browser-use agents, which are widely used for automated web tasks, by exposing and mitigating vulnerabilities that can lead to unintended actions.
The paper tackles the problem of time-of-check to time-of-use (TOCTOU) vulnerabilities in browser-use agents, where web page changes between planning and execution cause unintended actions, and shows through a large-scale empirical study that these vulnerabilities are widespread across 10 popular agents, with a lightweight mitigation based on pre-execution validation reducing the risk.
Browser-use agents are widely used for everyday tasks. They enable automated interaction with web pages through structured DOM based interfaces or vision language models operating on page screenshots. However, web pages often change between planning and execution, causing agents to execute actions based on stale assumptions. We view this temporal mismatch as a time of check to time of use (TOCTOU) vulnerability in browser-use agents. Dynamic or adversarial web content can exploit this window to induce unintended actions. We present a large scale empirical study of TOCTOU vulnerabilities in browser-use agents using a benchmark that spans synthesized and real world websites. Using this benchmark, we evaluate 10 popular open source agents and show that TOCTOU vulnerabilities are widespread. We design a lightweight mitigation based on pre-execution validation. It monitors DOM and layout changes during planning and validates the page state immediately before action execution. This approach reduces the risk of insecure execution and mitigates unintended side effects in browser-use agents.