CVE-2025-9611

Source
https://cve.org/CVERecord?id=CVE-2025-9611
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9611.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9611
Aliases
Published
2026-01-07T04:24:13.705Z
Modified
2026-07-16T03:31:14.056237721Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
Microsoft Playwright MCP Server < 0.0.40 DNS Rebinding via Missing Origin Header Validation
Details

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.

Database specific
{
    "cwe_ids": [
        "CWE-749"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9611.json",
    "cna_assigner": "VulnCheck",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "0.0.40"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "0.0.40"
                }
            ],
            "source": "CPE_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/microsoft/playwright

Affected ranges

Type
GIT
Repo
https://github.com/microsoft/playwright
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9611.json"