Pantheon-Security/chrome-mcp-secure

v2.3.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4mo MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai automation browser-automation chrome claude devtools

+7 more

encryption google llm mcp post-quantum security typescript

Affected surfaces

auth breaking_upgrade

Summary

AI summary

Patches a path traversal vulnerability in the credential vault

Full changelog

Security Fix

This release patches a path traversal vulnerability in the credential vault.

Fixed

Credential ID validation - Added validateCredentialId() method to prevent path traversal attacks in get(), delete(), and update() methods
- Blocks path traversal characters (.., /, \)
- Enforces expected credential ID format: cred_<timestamp>_<random>
- Throws CredentialSecurityError on invalid input

Upgrade

npm update @pansec/chrome-mcp-secure

Full Changelog: https://github.com/Pantheon-Security/chrome-mcp-secure/compare/v2.3.0...v2.3.1

Security Fixes

Added validateCredentialId() to block path traversal characters and enforce credential ID format, throwing CredentialSecurityError on invalid input

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pantheon-Security/chrome-mcp-secure

Get notified when new releases ship.

About Pantheon-Security/chrome-mcp-secure

Security-hardened Chrome automation with post-quantum encryption (ML-KEM-768 + ChaCha20-Poly1305), secure credential vault, memory scrubbing, and audit logging. 22 tools for browser automation and secure logins.

All releases →