Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools

Severity:: High

Description

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Recommendation

Update the @playwright/mcp package to the latest compatible version. Followings are version details:

Affected version(s): < 0.0.40
Patched version(s): 0.0.40

References

GHSA-6fg3-hvw7-2fwq
www.vulncheck.com
msrc.microsoft.com
CVE-2025-9611
CWE-749
CAPEC-310
OWASP 2021-A6

Related Issues

Signal K Server Vulnerable to Access Request Spoofing - CVE-2025-69203
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
SillyTavern Web Interface Vulnerable DNS Rebinding - CVE-2025-59159
vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522

Tags:: npm; @playwright/mcp

Anything's wrong? Let us know Last updated on January 07, 2026