QwikSec

Security Database

CVE

CWE

Training

CVE-2025-9611

Published: Jan 7, 2026

Modified: Mar 5, 2026

PUBLISHED

Description

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Vendor	Product	Versions
Microsoft	Playwright	affected `0 - < 0.0.40`

Weaknesses (CWE)

References

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3

technical-description

exploit

https://github.com/microsoft/playwright/commit/1313fbd

patch

https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.