Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.20.0 through 1.1.0, the daemon writes its PID file with fs.writeFileSync() to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDG_RUNTIME_DIR is unset, that path falls back to /tmp/chrome-devtools-mcp-<uid>/daemon.pid. Because the write does not use the O_NOFOLLOW flag, a local low‑privilege user on the same POSIX host can pre‑create /tmp/chrome-devtools-mcp-<victim_uid>/daemon.pid as a symlink to a file writable by the victim. When the victim later starts the daemon, fs.writeFileSync() follows the symlink and truncates the target file, replacing its contents with the daemon PID string. This local file‑overwrite capability can be used to modify configuration files or other privileged data, potentially enabling privilege escalation or denial of service. The vulnerability is fixed in version 1.1.0.

Vulnerable versions of ChromeDevTools:chrome-devtools-mcp from 0.20.0 up to and including 1.1.0, on macOS and Linux systems where the XDG_RUNTIME_DIR environment variable is unset and the fallback path resolves to /tmp/chrome-devtools-mcp-<uid>/daemon.pid.

The CVSS score of 6.1 indicates medium severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low to moderate exploitation probability to date. A local attacker with a user account on the same host can trivially create the offending symlink and wait for the victim to launch the daemon. Once the daemon runs, the attacker’s symlink will cause the written PID string to overwrite the targeted file. Relying on the lack of O_NOFOLLOW makes the vulnerability straightforward to exploit; however, it requires only local file system access.