CVE Catalog

CVE-2026-53765

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

0th percentile — higher than 0% of all known CVEs

Summary

A vulnerability in chrome-devtools-mcp from version 0.20.0 to 1.1.0 allows a local low-privilege user to create a symbolic link to the daemon PID file, resulting in overwriting any victim's file with the daemon PID string.

Risk Assessment

An attacker can deliberately corrupt configuration files, startup scripts, or other critical resources of the victim, leading to service disruption or privilege escalation.

Recommendation

Immediately update chrome-devtools-mcp to version 1.1.0 or later, which includes a fix preventing symlink following when writing the PID file.

Original NVD description (English source)

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.20.0 until 1.1.0, The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync() to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDG_RUNTIME_DIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-<uid>/daemon.pid. Because the write does not use O_NOFOLLOW, a local low-privilege user on the same POSIX host can pre-create /tmp/chrome-devtools-mcp-<victim_uid>/daemon.pid as a symlink to a file writable by the victim. When the victim later starts daemon mode, fs.writeFileSync() follows the symlink and truncates the target file to the daemon PID string. This vulnerability is fixed in 1.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS