github · chrome-devtools-mcpHEAD

Evidence

console.log(`Downloaded to ${publisherPath}`);

  // Create the new server.json in the temporary directory

  execSync(`${publisherPath} init`, {cwd: tmpDir, stdio: 'inherit'});

  const newServerJsonPath = path.join(tmpDir, 'server.json');

  const newServerJson = JSON.parse(fs.readFileSync(newServerJsonPath, 'utf-8'));

RemediationAI

The problem is that `execSync()` is called with a template string containing `publisherPath`, which is attacker-controllable and can inject arbitrary shell commands. Replace the shell command execution with the array form of `execSync()` by changing `execSync(\`${publisherPath} init\`, {cwd: tmpDir, stdio: 'inherit'})` to `execSync([publisherPath, 'init'], {cwd: tmpDir, stdio: 'inherit'})` (or use `spawnSync()` with the array argument form). This eliminates shell interpretation entirely, preventing command injection even if `publisherPath` contains special characters or shell metacharacters. Verify by testing with a path containing spaces, semicolons, or backticks—the command should fail gracefully or treat them as literal filename characters rather than executing them.

Evidence

const cruxManager = DevTools.CrUXManager.instance();

  // go/jtfbx. Yes, we're aware this API key is public. ;)

  cruxManager.setEndpointForTesting(

    'https://chromeuxreport.googleapis.com/v1/records:queryRecord?key=AIzaSyBn5gimNjhiEyA_euicSKko6IlD3HdgUfk',

  );

  const cruxSetting =

    DevTools.Common.Settings.Settings.instance().createSetting('field-data', {

RemediationAI

The problem is that a Google API key is hardcoded in the source file `src/tools/performance.ts` in the CrUX endpoint URL, which grants anyone with repository access direct API quota and potential abuse. Move the API key to an environment variable by replacing the hardcoded URL with `process.env.CRUX_API_KEY` and updating the endpoint to `https://chromeuxreport.googleapis.com/v1/records:queryRecord?key=${process.env.CRUX_API_KEY}`, then rotate the exposed key in the Google Cloud Console. This ensures credentials are never committed to version control and can be managed securely per deployment environment. Verify by confirming the environment variable is set before running the tool, and check that the API call succeeds with the new variable-based URL.

Evidence

Example without arguments: `() => {

  return document.title

}` or `async () => {

  return await fetch("example.com")

}`.

  Example with arguments: `(el) => {

  return el.innerText;

RemediationAI

The problem is that the example code in the documentation shows `fetch('example.com')` without any timeout parameter, which could hang indefinitely if the remote server is unresponsive or malicious. Add an explicit timeout to the fetch call by wrapping it with `Promise.race()` and `setTimeout()`, or use the `AbortController` with a timeout: `const controller = new AbortController(); const timeout = setTimeout(() => controller.abort(), 5000); await fetch('example.com', {signal: controller.signal})`. This prevents thread exhaustion and connection pool starvation by ensuring the MCP server can recover from hung requests. Verify by testing with a non-responsive endpoint and confirming the request aborts after the specified timeout (e.g., 5 seconds).

Evidence

name: 'function',

        type: 'string',

        description:

          'A JavaScript function declaration to be executed by the tool in the currently selected page.\nExample without arguments: `() => {\n  return document.title\n}` or `async () => {\n  return await fetch("example.com")\n}`.\nExample with arguments: `(el) => {\n  return el.innerText;\n}`\n',

        required: true,

      },

      args: {

RemediationAI

The problem is that the tool description in `src/bin/chrome-devtools-cli-options.ts` documents executing arbitrary JavaScript functions via `fetch()` without mentioning or enforcing timeouts, allowing malicious or slow upstream hosts to hang the MCP server. Update the description and implementation to document and enforce a timeout parameter (e.g., 30 seconds) for all network operations, and add validation in the execution handler to reject functions without timeout specifications or wrap them with `AbortController` and a default timeout. This ensures user-provided functions cannot pin threads indefinitely. Verify by executing a test function that makes a slow fetch and confirming it aborts after the timeout.

Evidence

htmlContent: `

      <h1>Network Test</h1>

      <script>

        fetch('/network_test.html'); // Self fetch to ensure at least one request

      </script>

    `,

  },

RemediationAI

The problem is that the test HTML in `scripts/eval_scenarios/network_test.ts` contains a bare `fetch('/network_test.html')` call without a timeout, which could hang the test suite if the server is slow or unresponsive. Wrap the fetch call with a timeout using `Promise.race()` or `AbortController`: `const controller = new AbortController(); setTimeout(() => controller.abort(), 5000); fetch('/network_test.html', {signal: controller.signal})`. This prevents test hangs and ensures the scenario completes within a bounded time. Verify by running the test scenario and confirming it completes within the timeout even if the endpoint is slow.

Evidence

if (cachePath) {

  try {

    const response = await fetch(`${getRegistry()}/chrome-devtools-mcp/latest`);

    const data = response.ok ? await response.json() : null;

    if (

RemediationAI

The problem is that `src/bin/check-latest-version.ts` calls `fetch()` without a timeout when querying the registry, allowing a slow or compromised registry to hang the version-check operation and block the MCP server startup. Add an explicit timeout by using `AbortController` with a 10-second limit: `const controller = new AbortController(); const timeout = setTimeout(() => controller.abort(), 10000); const response = await fetch(\`${getRegistry()}/chrome-devtools-mcp/latest\`, {signal: controller.signal})`. This ensures the version check fails fast and the server can start even if the registry is unreachable. Verify by simulating a slow registry endpoint and confirming the fetch aborts after 10 seconds.

Evidence

Example without arguments: \`() => {

  return document.title

}\` or \`async () => {

  return await fetch("example.com")

}\`.

Example with arguments: \`(el) => {

  return el.innerText;

RemediationAI

The problem is that the documentation in `src/tools/script.ts` shows example code with `fetch('example.com')` without timeout handling, which could allow user-provided scripts to hang the MCP server indefinitely. Update the example and add a note that all fetch calls must include a timeout via `AbortController` or `Promise.race()`, and enforce this in the script execution handler by wrapping user code with a default 30-second timeout. This prevents malicious or slow scripts from exhausting server resources. Verify by executing a test script with a slow fetch and confirming it aborts after the timeout.

Evidence

"test:no-build": "node scripts/test.mjs",

    "test:only": "npm run build && node scripts/test.mjs --test-only",

    "test:update-snapshots": "npm run build && node scripts/test.mjs --test-update-snapshots",

    "prepare": "node --experimental-strip-types scripts/prepare.ts",

    "verify-server-json-version": "node --experimental-strip-types scripts/verify-server-json-version.ts",

    "update-lighthouse": "node --experimental-strip-types scripts/update-lighthouse.ts",

    "update-metrics": "node

RemediationAI

The problem is that `package.json` declares a `prepare` hook that runs `node --experimental-strip-types scripts/prepare.ts` at install time, allowing arbitrary code execution on every `npm install` without explicit user consent. Remove or rename the `prepare` hook to `postinstall` with clear documentation, or better yet, move the type-stripping step to the build process only by removing the hook and adding it to the `build` script instead. This ensures type-stripping happens only during development/CI builds, not on every installation. Verify by running `npm install` in a clean environment and confirming the prepare script does not execute (or document why it must run at install time if it is truly necessary).

Evidence

{

  "mcpServers": {

    "chrome-devtools": {

      "command": "npx",

      "args": ["chrome-devtools-mcp@latest"]

    }

  }

}

RemediationAI

The problem is that `.mcp.json` declares MCP tools but includes no `auth`, `authorization`, `apiKey`, or other authentication field, making it unclear whether the server enforces any access control. Add an explicit authentication field documenting the actual mechanism, such as `"auth": "none"` if the server is public, or `"auth": "host-level"` if it relies on the host environment's security. This allows reviewers to audit the security model clearly. Verify by checking that the authentication field matches the actual implementation and that documentation explains the security implications.

Evidence

# How to contribute

We'd love to accept your patches and contributions to this project.

## Before you begin

### Sign our Contributor License Agreement

Contributions to this project must be accompanied by a

[Contributor License Agreement](https://cla.developers.google.com/about) (CLA).

You (or your employer) retain the copyright to your contribution; this simply

gives us permission to use and redistribute your contributions as part of the

project.

If you or your current employer have already

RemediationAI

The problem is that `CONTRIBUTING.md` does not include an authentication field in any MCP manifest declaration, leaving the security model undocumented for contributors. Add an explicit `auth` or `authorization` field to any embedded MCP configuration examples in the documentation, or add a section explaining that the chrome-devtools MCP server uses host-level authentication and does not require explicit credentials. This clarifies the security posture for contributors and reviewers. Verify by confirming that the authentication model is documented and matches the actual server implementation.

Evidence

{

  "name": "chrome-devtools-mcp",

  "version": "0.26.0",

  "description": "Reliable automation, in-depth debugging, and performance analysis in Chrome using Chrome DevTools and Puppeteer",

  "mcpServers": {

    "chrome-devtools": {

      "command": "npx",

      "args": [

        "chrome-devtools-mcp@latest"

      ]

    }

  }

}

RemediationAI

The problem is that `.github/plugin/plugin.json` declares MCP tools without an authentication field, making the security model opaque to GitHub Actions users and plugin consumers. Add an explicit `"auth": "host-level"` or appropriate authentication field to the manifest, and document in the plugin README what authentication mechanism is used. This ensures users understand the security implications of installing the plugin. Verify by checking that the authentication field is present and the plugin documentation explains the security model.

Evidence

{

  "name": "chrome-devtools-mcp",

  "version": "latest",

  "mcpServers": {

    "chrome-devtools": {

      "command": "npx",

      "args": ["chrome-devtools-mcp@latest"]

    }

  }

}

RemediationAI

The problem is that `gemini-extension.json` declares MCP tools without an authentication field, leaving the security model unclear for Gemini extension users. Add an explicit `"auth": "none"` or appropriate authentication field to the manifest, and document whether the server requires any credentials or relies on the host environment's security. This allows Gemini users to understand the security implications. Verify by confirming the authentication field is present and the extension documentation explains the security model.

Evidence

{

  "name": "chrome-devtools-mcp",

  "version": "0.26.0",

  "description": "Reliable automation, in-depth debugging, and performance analysis in Chrome using Chrome DevTools and Puppeteer",

  "mcpServers": {

    "chrome-devtools": {

      "command": "npx",

      "args": [

        "chrome-devtools-mcp@latest"

      ]

    }

  }

}

RemediationAI

The problem is that `.claude-plugin/plugin.json` declares MCP tools without an authentication field, making the security model undocumented for Claude plugin users. Add an explicit `"auth": "host-level"` or appropriate authentication field to the manifest, and ensure the plugin documentation explains the authentication mechanism. This clarifies the security posture for Claude users. Verify by checking that the authentication field is present and the plugin README documents the security model.

Evidence

# Troubleshooting

## General tips

- Run `npx chrome-devtools-mcp@latest --help` to test if the MCP server runs on your machine.

- Make sure that your MCP client uses the same npm and node version as your terminal.

- When configuring your MCP client, try using the `--yes` argument to `npx` to

  auto-accept installation prompt.

- Find a specific error in the output of the `chrome-devtools-mcp` server.

  Usually, if your client is an IDE, logs would be in the Output pane.

- Search the [GitHub rep

RemediationAI

The problem is that `docs/troubleshooting.md` does not document or declare an authentication mechanism for the MCP server, leaving users uncertain about the security model. Add a section to the troubleshooting guide explaining the authentication model (e.g., "The chrome-devtools MCP server uses host-level authentication and does not require explicit credentials"), and ensure any MCP manifest examples in the documentation include an explicit `auth` field. This helps users understand the security implications. Verify by confirming the documentation clearly explains the authentication mechanism.

Evidence

release-please:

    runs-on: ubuntu-latest

    steps:

      - uses: googleapis/release-please-action@v5

        with:

          token: ${{ secrets.BROWSER_AUTOMATION_BOT_TOKEN }}

          target-branch: main

RemediationAI

The problem is that `.github/workflows/release-please.yml` uses `uses: googleapis/release-please-action@v5`, which is a mutable tag that can be rewritten by a compromised maintainer to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA by replacing `@v5` with the full 40-character commit hash, e.g., `uses: googleapis/release-please-action@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v5.x.x`. This ensures the exact version of the action is used and prevents silent substitution of malicious code. Verify by running the workflow and confirming it uses the pinned SHA, and use tools like `ratchet` or `pinact` to automate SHA pinning in future updates.

Evidence

/**

 * @license

 * Copyright 2026 Google LLC

 * SPDX-License-Identifier: Apache-2.0

 */

import {spawn} from 'node:child_process';

import fs from 'node:fs';

import net from 'node:net';

import {logger} from '../logger.js';

import type {CallToolResult} from '../third_party/index.js';

import {PipeTransport} from '../third_party/index.js';

import {getTempFilePath} from '../utils/files.js';

import type {DaemonMessage, DaemonResponse} from './types.js';

import {

  DAEMON_SCRIPT_PATH,

  getSocketPath

RemediationAI

The problem is that `src/daemon/client.ts` likely contains a check-then-use pattern (e.g., `fs.existsSync()` followed by `fs.readFileSync()` or `fs.unlink()`) without atomic operations, allowing an attacker to race the filesystem and apply operations to a different target. Replace the check-then-use pattern with direct error handling: remove the `existsSync()` call and wrap the file operation in a try-catch block that handles `ENOENT` errors, e.g., `try { const data = fs.readFileSync(path); } catch (err) { if (err.code !== 'ENOENT') throw err; }`. This eliminates the race window by making the check and use atomic. Verify by writing a test that races symlink creation between the check and use, confirming the operation either succeeds atomically or fails safely.

Evidence

/**

 * @license

 * Copyright 2026 Google LLC

 * SPDX-License-Identifier: Apache-2.0

 */

import fs from 'node:fs';

import os from 'node:os';

import path from 'node:path';

import process from 'node:process';

import {logger} from '../logger.js';

import type {YargsOptions} from '../third_party/index.js';

export const DAEMON_SCRIPT_PATH = path.join(import.meta.dirname, 'daemon.js');

export const INDEX_SCRIPT_PATH = path.join(

  import.meta.dirname,

  '..',

  'bin',

  'chrome-devtools-mcp.js',

);

RemediationAI

The problem is that `src/daemon/utils.ts` likely contains a time-of-check-to-time-of-use race where `fs.existsSync()` is called before `fs.readFileSync()`, `fs.writeFileSync()`, or `fs.unlinkSync()`, allowing an attacker to replace or redirect the file via symlink. Replace the check-then-use pattern with atomic error handling: remove the `existsSync()` call and wrap the file operation in a try-catch block, e.g., `try { fs.writeFileSync(path, data); } catch (err) { if (err.code !== 'EEXIST') throw err; }`. This makes the operation atomic and eliminates the race. Verify by testing with a symlink that points to a different file and confirming the operation either succeeds on the intended file or fails safely.

Evidence

/**

 * @license

 * Copyright 2026 Google LLC

 * SPDX-License-Identifier: Apache-2.0

 */

import fs from 'node:fs';

import path from 'node:path';

import {pathToFileURL} from 'node:url';

import {parseArgs} from 'node:util';

import {GoogleGenAI, mcpToTool} from '@google/genai';

import {Client} from '@modelcontextprotocol/sdk/client/index.js';

import {StdioClientTransport} from '@modelcontextprotocol/sdk/client/stdio.js';

import {TestServer} from '../build/tests/server.js';

const ROOT_DIR = path.

RemediationAI

The problem is that `scripts/eval_gemini.ts` likely contains a check-then-use race where `fs.existsSync()` or similar is called before reading or writing a file, allowing an attacker to race the filesystem. Replace the check-then-use pattern with atomic error handling by removing the existence check and wrapping the file operation in try-catch: `try { const data = fs.readFileSync(path); } catch (err) { if (err.code !== 'ENOENT') throw err; }`. This ensures the check and use are atomic. Verify by writing a test that races file replacement between the check and use, confirming the operation either succeeds atomically or fails safely.

Evidence

#!/usr/bin/env node

/**

 * @license

 * Copyright 2026 Google LLC

 * SPDX-License-Identifier: Apache-2.0

 */

import fs from 'node:fs';

import {createServer, type Server} from 'node:net';

import path from 'node:path';

import process from 'node:process';

import {logger} from '../logger.js';

import {

  Client,

  PipeTransport,

  StdioClientTransport,

} from '../third_party/index.js';

import {VERSION} from '../version.js';

import type {DaemonMessage} from './types.js';

import {

  DAEMON_CLIENT_NA

RemediationAI

The problem is that `src/daemon/daemon.ts` likely contains a check-then-use race where `fs.existsSync()` is called before `fs.readFileSync()` or similar, allowing an attacker to replace the file via symlink between the check and use. Replace the check-then-use pattern with atomic error handling: remove the `existsSync()` call and wrap the file operation in a try-catch block, e.g., `try { const config = fs.readFileSync(configPath, 'utf8'); } catch (err) { if (err.code !== 'ENOENT') throw err; }`. This eliminates the race window. Verify by testing with a symlink that points to a sensitive file and confirming the operation either succeeds on the intended file or fails safely.

Evidence

/**

 * @license

 * Copyright 2026 Google LLC

 * SPDX-License-Identifier: Apache-2.0

 */

import * as fs from 'node:fs';

import * as path from 'node:path';

import {

  cliOptions,

  parseArguments,

} from '../build/src/bin/chrome-devtools-mcp-cli-options.js';

import {

  getPossibleFlagMetrics,

  type FlagMetric,

} from '../build/src/telemetry/flagUtils.js';

import {

  applyToExisting,

  applyToExistingMetrics,

  generateToolMetrics,

  type ToolMetric,

} from '../build/src/telemetry/toolMetricsUti

RemediationAI

The problem is that `scripts/update_metrics.ts` likely contains a check-then-use race where `fs.existsSync()` is called before `fs.readFileSync()` or `fs.writeFileSync()`, allowing an attacker to race the filesystem. Replace the check-then-use pattern with atomic error handling by removing the existence check and wrapping the file operation in try-catch: `try { const metrics = fs.readFileSync(metricsPath); } catch (err) { if (err.code !== 'ENOENT') throw err; }`. This makes the operation atomic and eliminates the race. Verify by writing a test that races file replacement and confirming the operation either succeeds atomically or fails safely.

Evidence

/**

 * Copyright 2021 Google LLC.

 * Copyright (c) Microsoft Corporation.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 

RemediationAI

The problem is that `rollup.config.mjs` likely contains a check-then-use race where `fs.existsSync()` is called before `fs.readFileSync()` or similar during the build process, allowing an attacker to race the filesystem. Replace the check-then-use pattern with atomic error handling: remove the `existsSync()` call and wrap the file operation in try-catch, e.g., `try { const config = fs.readFileSync(configPath); } catch (err) { if (err.code !== 'ENOENT') throw err; }`. This eliminates the race window during build time. Verify by testing the build process with a symlink that points to a different file and confirming the build either succeeds atomically or fails safely.