chrome-devtools

This module is a high-risk automation API when deployed without access controls: it allows unauthenticated remote control of a browser, arbitrary navigation, and arbitrary JavaScript execution inside pages (via eval inside page.evaluate). While there's no evidence of intentionally malicious code (no obfuscation, no clear backdoor or shell execution), the design enables severe abuse (SSRF, data exfiltration, remote code execution in the browser context). Recommend not exposing this service to untrusted networks, add strong authentication/authorization, restrict navigation targets, remove eval-based evaluate endpoint or restrict allowed expressions, and fix the event listener memory-leak bug. If used in CI or internal tooling, ensure the browser runs in a constrained environment and the API is firewalled.