CVE-2025-9611
Unknown Unknown - Not Provided
Origin Header Validation Flaw in Microsoft Playwright MCP Enables DNS Rebinding

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: VulnCheck

Description
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9611
EUVD
EUVD-2026-1179
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
microsoft playwright_mcp_server to 0.0.40 (exc)
microsoft playwright_mcp_server 0.0.39
microsoft playwright_mcp_server 0.0.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Microsoft Playwright MCP Server versions prior to 0.0.40, where the server fails to validate the Origin header on incoming connections. This flaw allows an attacker to perform a DNS rebinding attack through a victim's web browser, enabling the attacker to send unauthorized requests to a locally running MCP server and cause unintended invocation of MCP tool endpoints.

Impact Analysis

The vulnerability can impact you by allowing an attacker to exploit a DNS rebinding attack to send unauthorized requests to your local MCP server. This can lead to unintended execution of MCP tool endpoints, potentially compromising the security and integrity of your system or data.

Detection Guidance

You can detect this vulnerability by checking if your Microsoft Playwright MCP Server version is prior to 0.0.40, as those versions fail to validate the Origin header and are vulnerable to DNS rebinding attacks. To confirm exploitation attempts, monitor HTTP requests to the MCP server for suspicious or spoofed Origin and Host headers coming from browsers, especially those originating from attacker-controlled domains. A proof-of-concept involves sending a JSON-RPC "initialize" method call with an Origin header set to an attacker-controlled domain and observing if the server responds. Network monitoring tools or HTTP request logging on the MCP server can help detect such unauthorized requests. Specific commands are not provided in the resources, but you can use tools like curl or HTTP proxies to simulate requests with spoofed Origin and Host headers to test the server's response. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the Microsoft Playwright MCP Server to version 0.0.40 or later, where the vulnerability is fixed by enforcing strict Host header validation to reject unauthorized domains. Additionally, configure the MCP server's new "allowedHosts" option to specify the list of allowed hosts, either via the CLI option `--allowed-hosts` or the environment variable `PLAYWRIGHT_MCP_ALLOWED_HOSTNAMES`. This configuration ensures that the server only accepts requests from authorized hosts, effectively preventing DNS rebinding attacks. If upgrading immediately is not possible, consider restricting network access to the MCP server to trusted hosts only and monitoring for suspicious requests. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart