Impact
Chrome DevTools for agents (chrome-devtools-mcp) allows a coding agent to control and inspect a live Chrome browser. Between versions 0.20.0 and 1.1.0, the daemon writes a PID file with fs.writeFileSync() to a deterministic runtime path. On macOS and when $XDG_RUNTIME_DIR is unset on Linux, that path resolves to /tmp/chrome-devtools-mcp-<uid>/daemon.pid. Because the write does not use the O_NOFOLLOW flag, a local low‑privileged user can pre‑create that path as a symlink to any file they can write. When the daemon starts, fs.writeFileSync() follows the symlink and overwrites the target file with the daemon PID string. This allows an attacker to truncate or overwrite a file that the daemon writes, potentially resulting in unintended data loss or configuration corruption. The issue is fixed in version 1.1.0.
Affected Systems
Vulnerable versions of ChromeDevTools:chrome-devtools-mcp from 0.20.0 up to and including 1.1.0, on macOS and Linux systems where the XDG_RUNTIME_DIR environment variable is unset and the fallback path resolves to /tmp/chrome-devtools-mcp-<uid>/daemon.pid.
Risk and Exploitability
The CVSS score of 6.1 indicates medium severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low to moderate exploitation probability to date. A local attacker with a user account on the same host can trivially create the offending symlink and wait for the victim to launch the daemon. Once the daemon runs, the attacker’s symlink will cause the written PID string to overwrite the targeted file. Relying on the lack of O_NOFOLLOW makes the vulnerability straightforward to exploit; however, it requires only local file system access.
OpenCVE Enrichment
Github GHSA