CVE-2025-9611

2026-01-07 [email protected] GHSA-6fg3-hvw7-2fwq

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 07, 2026 - 12:17 nvd
N/A

Tags

Microsoft Dns

Description

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Analysis

Microsoft Playwright MCP Server versions up to 0.0.40 contains a vulnerability that allows attackers to perform a DNS rebinding attack via a victim’s web browser and send unauthorized.

Technical Context

affects Microsoft Playwright MCP Server. Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Affected Products

Product: Microsoft Playwright MCP Server. Versions: up to 0.0.40.

Remediation

Monitor vendor advisories for a patch.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +0
POC: 0

Share

CVE-2025-9611 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy