[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

React Developer Tools

Version 7.0.1 View in Chrome Web Store

Last scanned: 3 days ago | force re-scan

Extension Details

Rating: 4.0 ★ (1.6K ratings)

Users: 5,000,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

React Developer Tools is an official extension from Meta (Facebook) for debugging React applications, with an impressive 5 million users and a solid 4.0 rating. The extension's legitimate purpose as a development tool and its widespread adoption in the developer community provide strong credibility indicators. The high user count suggests extensive real-world testing and community oversight.

Concerns:

While the security findings flag several high-risk permissions, these are actually necessary for the extension's core functionality. The broad host permissions and content script injection capabilities are required to inspect React components across any website during development. The tabs permission enables the extension to detect React applications and communicate between developer tools panels. However, these same permissions could theoretically be misused if the extension were compromised.

The storage permission is standard for maintaining debugging preferences and session data. The main concern is the extensive access scope, which creates a large attack surface if vulnerabilities exist.

Recommendations:

Given the extension's legitimate purpose and strong reputation, the risk is manageable for developers who need React debugging capabilities. Consider using it only in a dedicated development browser profile to isolate it from personal browsing. Regularly update the extension and monitor for any unusual behavior. Non-React developers should avoid installing this extension as the broad permissions aren't justified without the specific use case.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

scripting
storage
tabs

Optional Permissions:

clipboardWrite

Host Permissions:

<all_urls>

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self'

Embedded URLs (27 total):

https://clients2.google.com/service/update2/crx	https://reactjs.org/docs/optimizing-performance.html#use-the-production-build
https://github.com/facebook/react/tree/main/packages/react-devtools#the-react-tab-doesnt-show-up	https://reactjs.org/blog/
https://bugs.chromium.org/p/chromium/issues/detail?id=428044	http://www.w3.org/2000/svg
https://react.dev/link/perf-use-production-build	https://react.dev/errors/
http://www.w3.org/1998/Math/MathML	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://fb.me/use-check-prop-types
https://developer.mozilla.org/en-US/docs/Web/API/File/Using_files_from_web_applications	https://github.com/webpack-contrib/style-loader#insertat
https://github.com/facebook/react/blob/main/packages/react-devtools/CHANGELOG.md	https://reactjs.org/blog/2019/08/15/new-react-devtools.html#how-do-i-get-the-old-version-back
https://fburl.com/react-devtools-workplace-group	https://github.com/facebook/react/blob/main/packages/react-devtools/README.md#the-react-tab-shows-no-components
https://api.github.com/search/issues	https://github.com/facebook/react
https://react.dev/reference/react/StrictMode	https://fb.me/react-devtools-profiling
https://react.dev/reference/dev-tools/react-performance-tracks	https://fburl.com/react-devtools-scheduling-profiler-gk
https://fb.me/devtools-unsupported-bridge-protocol	http://foo.com
http://foo.com/

Raw Manifest

{
  "name": "React Developer Tools",
  "icons": {
    "16": "icons/16-production.png",
    "32": "icons/32-production.png",
    "48": "icons/48-production.png",
    "128": "icons/128-production.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/16-disabled.png",
      "32": "icons/32-disabled.png",
      "48": "icons/48-disabled.png",
      "128": "icons/128-disabled.png"
    },
    "default_popup": "popups/disabled.html"
  },
  "version": "7.0.1",
  "background": {
    "service_worker": "build/background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Adds React debugging tools to the Chrome Developer Tools.\n\nCreated from revision 3cde211b0c on 10/20/2025.",
  "permissions": [
    "scripting",
    "storage",
    "tabs"
  ],
  "version_name": "7.0.1 (10/20/2025)",
  "devtools_page": "main.html",
  "content_scripts": [
    {
      "js": [
        "build/prepareInjection.js"
      ],
      "run_at": "document_start",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "clipboardWrite"
  ],
  "minimum_chrome_version": "114",
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "main.html",
        "panel.html",
        "build/*.js"
      ],
      "extension_ids": []
    }
  ]
}

by ✦ Astarte

React Developer Tools

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (27 total):

Raw Manifest

Detections

Manifest Findings