ICUICU
critical

puppeteer-mcp-server

v0.7.2

Experimental MCP server for browser automation using Puppeteer (inspired by @modelcontextprotocol/server-puppeteer)

npmmerajmehrabiFirst seen Feb 22, 2026

7

Total

2

Critical

4

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    18:         if (!browser) {
    19:             logger.info('Launching browser with config:', process.env.DOCKER_CONTAINER ? 'docker' : 'npx');
>>> 20:             browser = yield puppeteer.launch(process.env.DOCKER_CONTAINER ? dockerConfig : npxConfig);
    21:             const pages = yield browser.pages();
    22:             page = pages[0];
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    17:     return __awaiter(this, void 0, void 0, function* () {
    18:         if (!browser) {
>>> 19:             logger.info('Launching browser with config:', process.env.DOCKER_CONTAINER ? 'docker' : 'npx');
    20:             browser = yield puppeteer.launch(process.env.DOCKER_CONTAINER ? dockerConfig : npxConfig);
    21:             const pages = yield browser.pages();
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��y�S�Lb�ا���ǫ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Ij��r���I�nW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ҡ��7���J�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ҡ��7���J�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    33:     return __awaiter(this, arguments, void 0, function* (port = 9222) {
    34:         try {
>>> 35:             const response = yield fetch(`http://localhost:${port}/json/version`);
    36:             if (!response.ok) {
    37:                 throw new Error(`Failed to fetch debugger info: ${response.statusText}`);
Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical7
Feb 23, 2026critical7
Feb 22, 2026critical7