CVE-2025-9611 – Microsoft Playwright MCP Server Origin Header Validation Bypass

CVE ID : CVE-2025-9611

Published : Jan. 7, 2026, 6:28 a.m. | 1 hour, 58 minutes ago

Description : Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…