CVE-2025-9611
📋 TL;DR
Microsoft Playwright MCP Server versions before 0.0.40 lack Origin header validation, enabling DNS rebinding attacks. Attackers can exploit this via a victim's browser to send unauthorized requests to locally running MCP servers, potentially invoking tool endpoints without authorization. This affects users running vulnerable versions of the Playwright MCP Server.
💻 Affected Systems
- Microsoft Playwright MCP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary MCP tool endpoints, potentially leading to remote code execution, data exfiltration, or system compromise depending on available tools.
Likely Case
Unauthorized invocation of MCP tool endpoints leading to unintended actions, data access, or information disclosure from the local server.
If Mitigated
Limited impact with proper network segmentation and access controls, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires DNS rebinding setup and victim browser interaction. Proof of concept exists in security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.40 and later
Vendor Advisory: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3
Restart Required: Yes
Instructions:
1. Update Playwright MCP Server to version 0.0.40 or later. 2. Restart the MCP server service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Network Isolation
allRestrict MCP server to localhost only and block external network access
Configure firewall to block inbound connections to MCP server port from external networks
Origin Header Validation
allImplement custom middleware to validate Origin headers
Add origin validation in server configuration or middleware layer
🧯 If You Can't Patch
- Restrict MCP server to localhost-only binding (127.0.0.1)
- Implement network segmentation and firewall rules to prevent external access
🔍 How to Verify
Check if Vulnerable:
Check Playwright MCP Server version. If version is below 0.0.40, system is vulnerable.Check Version:
Check package.json or run: playwright --version (if MCP server version is displayed)Verify Fix Applied:
Verify version is 0.0.40 or later and test that Origin headers are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unauthorized requests to MCP endpoints
- Requests with suspicious Origin headers
- DNS rebinding attempts
Network Indicators:
- Unusual traffic patterns to MCP server port
- Requests from unexpected origins to local services
SIEM Query:
source="mcp-server" AND (status="401" OR status="403") AND origin!="expected-origin"