Skip to content

Releases: Pantheon-Security/chrome-mcp-secure

v2.3.1 - Security Patch

23 Jan 21:05
@rosschurchill rosschurchill
v2.3.1
43646d0

Choose a tag to compare

View all tags
v2.3.1 - Security Patch Latest
Latest

Security Fix

This release patches a path traversal vulnerability in the credential vault.

Fixed

  • Credential ID validation - Added validateCredentialId() method to prevent path traversal attacks in get(), delete(), and update() methods
    • Blocks path traversal characters (.., /, \)
    • Enforces expected credential ID format: cred_<timestamp>_<random>
    • Throws CredentialSecurityError on invalid input

Upgrade

npm update @pansec/chrome-mcp-secure

Full Changelog: v2.3.0...v2.3.1

Assets 2
Loading

v2.3.0 - Phase 1: Logging & Audit Foundation

15 Dec 19:14
@rosschurchill rosschurchill
v2.3.0
62f208e

Choose a tag to compare

View all tags
v2.3.0 - Phase 1: Logging & Audit Foundation

Chrome MCP Secure v2.3.0

Phase 1: Logging & Audit Foundation (Compliance Roadmap)

First phase of our compliance initiative, adding enterprise-grade audit logging for SOC 2, GDPR, and PCI-DSS requirements.

New Compliance Module

Component Description
Audit Logger Structured events with hash-chained integrity
CEF Formatter SIEM integration (Splunk, ArcSight, QRadar)
JSON-LD Formatter Linked Data for compliance tools
Log Shipper Webhook, Syslog, S3/GCS destinations
Retention Manager Rotation, compression, secure deletion
Log Verifier Integrity verification with certificates

Key Features

  • Hash-Chained Audit Trail - Tamper-evident logging
  • Compliance Tagging - SOC2, GDPR, PCI-DSS, ISO27001 markers
  • SIEM Integration - CEF format for security tools
  • Retention Policies - Configurable up to 365+ days
  • Secure Deletion - Cryptographic deletion certificates
  • Integrity Verification - CLI tool to verify log integrity

New Files (3,000+ lines)

src/compliance/
├── audit-logger.ts      # Core audit logging
├── formats/
│   ├── cef.ts           # Common Event Format
│   └── json-ld.ts       # Linked Data format
├── log-shipper.ts       # External destinations
├── retention-manager.ts # Lifecycle management
├── log-verifier.ts      # Integrity checking
└── index.ts             # Module exports

Environment Variables

# Audit
CHROME_MCP_AUDIT_FORMAT=jsonl|cef|json-ld
CHROME_MCP_AUDIT_HASH_CHAIN=true

# Shipping
CHROME_MCP_LOG_DESTINATION=webhook|syslog|s3
CHROME_MCP_WEBHOOK_URL=https://...
CHROME_MCP_SYSLOG_HOST=localhost

# Retention
CHROME_MCP_LOG_RETENTION_DAYS=365
CHROME_MCP_LOG_ROTATION=daily
CHROME_MCP_SECURE_DELETE=true

What's Next

See COMPLIANCE-ROADMAP.md for upcoming phases:

  • Phase 2: GDPR & Privacy (data rights, deletion certificates)
  • Phase 3: SOC 2 & Enterprise (key rotation, RBAC)
  • Phase 4: Advanced (breach detection, multi-tenancy)

#soc2 #gdpr #compliance #audit-logging #siem

Loading

v2.2.1 - Cross-Platform File Permissions Fix

11 Dec 07:34
@rosschurchill rosschurchill
v2.2.1
aa2167b

Choose a tag to compare

View all tags
v2.2.1 - Cross-Platform File Permissions Fix

Chrome MCP Secure v2.2.1

Cross-Platform File Permissions Fix

Fixed

  • All file operations now use centralized file-permissions.ts utility
    • Fixed 12 instances of insecure fs.mkdirSync() and fs.writeFileSync() calls
    • Proper Windows ACL support via icacls
    • Consistent 0o700 directory and 0o600 file permissions on Unix

Files Updated

File Changes
crypto.ts Uses mkdirSecure() and writeFileSecure()
credential-vault.ts Uses mkdirSecure() and writeFileSecure()
secure-memory.ts Deprecated internal functions, delegates to file-permissions.ts
mcp-auth.ts Uses mkdirSecure() and writeFileSecure()
logger.ts Audit log directory uses mkdirSecure()

This is the same fix applied to notebooklm-mcp-secure v1.5.1.

Full Changelog

See CHANGELOG.md

Loading

v2.2.0 - Advanced Security Modules

11 Dec 05:56
@rosschurchill rosschurchill
v2.2.0
15a20f3

Choose a tag to compare

View all tags
v2.2.0 - Advanced Security Modules

Chrome MCP Secure v2.2.0

Advanced Security Modules Release

New Security Features

Module Description
Secrets Scanner Detects 25+ credential patterns (AWS, GitHub, Slack, Stripe, OpenAI, Anthropic keys, private keys, JWTs, credit cards, SSNs)
Response Validator Prompt injection detection (15 patterns), suspicious URL blocking, encoded payload detection
Session Manager Credential session lifecycle with 8h max lifetime and 30min inactivity timeout
MCP Authentication Token-based auth with auto-generation, SHA256 hashing, brute-force lockout
Certificate Pinning SPKI-style pinning for Google, GitHub, Microsoft, Anthropic, OpenAI domains
Screenshot Redaction Auto-redacts password fields, credit cards, CVV, SSN, API keys in screenshots

Installation

git clone https://github.com/Pantheon-Security/chrome-mcp-secure.git
cd chrome-mcp-secure
./setup.sh

What's Changed

  • 6 new security modules totaling 3,000+ lines of security hardening
  • Patterns derived from MEDUSA AI Security Scanner, TruffleHog, and GitLeaks
  • Comprehensive CHANGELOG.md documenting all versions
  • Hashtags for discoverability

Full Changelog

See CHANGELOG.md

#anthropic #mcp #claude #mcp-server #ai-agent #chrome #browser-automation #security #post-quantum #encryption #pantheon-security

Loading