πŸ” CVE Alert

CVE-2025-9611

UNKNOWN 0.0

Microsoft Playwright MCP Server < 0.0.40 DNS Rebinding via Missing Origin Header Validation

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

CWE CWE-749
Vendor microsoft
Product playwright
Ecosystems
Industries
TechnologyEnterprise
Published Jan 7, 2026
Last Updated Mar 5, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft playwright

Be the first to know when new unknown vulnerabilities affecting microsoft playwright are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Microsoft / Playwright
0 < 0.0.40

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3 github.com: https://github.com/microsoft/playwright/commit/1313fbd vulncheck.com: https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation

Credits

Jonathan Leitschuh