Vulnerability in Microsoft Playwright
CVE-2025-9611
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a…
EPSS: 0.008 (53.4th percentile) — read the EPSS interpretation.
Affected products
- Microsoft Playwright — versions 0
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory, technical-description, exploit)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)