CVE-2025-9611
Origin Header Validation Flaw in Microsoft Playwright MCP Enables DNS Rebinding
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | playwright_mcp_server | to 0.0.40 (exc) |
| microsoft | playwright_mcp_server | 0.0.39 |
| microsoft | playwright_mcp_server | 0.0.40 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Microsoft Playwright MCP Server versions prior to 0.0.40, where the server fails to validate the Origin header on incoming connections. This flaw allows an attacker to perform a DNS rebinding attack through a victim's web browser, enabling the attacker to send unauthorized requests to a locally running MCP server and cause unintended invocation of MCP tool endpoints.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to exploit a DNS rebinding attack to send unauthorized requests to your local MCP server. This can lead to unintended execution of MCP tool endpoints, potentially compromising the security and integrity of your system or data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Microsoft Playwright MCP Server version is prior to 0.0.40, as those versions fail to validate the Origin header and are vulnerable to DNS rebinding attacks. To confirm exploitation attempts, monitor HTTP requests to the MCP server for suspicious or spoofed Origin and Host headers coming from browsers, especially those originating from attacker-controlled domains. A proof-of-concept involves sending a JSON-RPC "initialize" method call with an Origin header set to an attacker-controlled domain and observing if the server responds. Network monitoring tools or HTTP request logging on the MCP server can help detect such unauthorized requests. Specific commands are not provided in the resources, but you can use tools like curl or HTTP proxies to simulate requests with spoofed Origin and Host headers to test the server's response. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Microsoft Playwright MCP Server to version 0.0.40 or later, where the vulnerability is fixed by enforcing strict Host header validation to reject unauthorized domains. Additionally, configure the MCP server's new "allowedHosts" option to specify the list of allowed hosts, either via the CLI option `--allowed-hosts` or the environment variable `PLAYWRIGHT_MCP_ALLOWED_HOSTNAMES`. This configuration ensures that the server only accepts requests from authorized hosts, effectively preventing DNS rebinding attacks. If upgrading immediately is not possible, consider restricting network access to the MCP server to trusted hosts only and monitoring for suspicious requests. [1, 3]