Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
C upgraded to H from C:N because upload_file demonstrably exfiltrates out-of-root file contents; all other metrics consistent with local, low-privilege symlink placement.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.
AnalysisAI
Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) A symbolic link must exist inside a configured workspace root directory - this can be placed by the AI agent itself if it processes attacker-controlled content (e.g., a cloned repository containing a pre-built symlink), by a co-located local process, or by any local user with write access to the workspace; (2) chrome-devtools-mcp must be running version 0.24.0 through 1.0.x; (3) the MCP client must have the roots capability declared and configured with at least one root path (the bug is NOT the undocumented legacy path where roots is absent). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 6.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) captures the local attack vector and high integrity impact accurately, but its C:N rating is inconsistent with the CVE description, which explicitly states that upload_file can read a symlink target and transmit its contents to the currently selected web page - a direct confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious Git repository cloned by an AI coding agent into the workspace contains a pre-crafted symbolic link at workspace/configs/settings -> /etc/cron.d/evil. When the agent's file-writing tool is invoked against workspace/configs/settings, validatePath() resolves the path to /workspace/configs/settings, passes the root prefix check, and the downstream write follows the symlink and creates or overwrites the cron job outside the workspace boundary. … |
| Remediation | Upgrade chrome-devtools-mcp to version 1.1.0, the vendor-released patch that fixes validatePath() by canonicalizing symbolic links before performing the workspace root prefix check. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39104