CVE-2026-53765

Name of the Vulnerable Software and Affected Versions chrome-devtools-mcp (affected versions not specified)

Description On POSIX systems, specifically macOS and Linux sessions where the XDG RUNTIME DIR environment variable is unset, the daemon writes its PID file to a deterministic path in /tmp using the fs.writeFileSync() function. Because this operation does not use the O NOFOLLOW flag, a local low-privilege user can pre-create the PID file path as a symbolic link pointing to any file the victim has permission to write. When the victim starts the daemon, the process follows the symlink and truncates the target file, overwriting its content with the daemon PID string. This can lead to the corruption of critical files such as ~/.ssh/authorized keys, shell configuration files like ~/.bashrc, or project secrets.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.