CVE-2025-9611 Overview
Microsoft Playwright MCP Server versions prior to 0.0.40 contains a DNS rebinding vulnerability due to missing Origin header validation on incoming connections. This flaw allows an attacker to leverage a victim's web browser to perform DNS rebinding attacks against locally running MCP (Model Context Protocol) servers, enabling unauthorized invocation of MCP tool endpoints without proper authentication.
Critical Impact
Attackers can bypass same-origin protections and execute unauthorized commands against local MCP server instances, potentially leading to data exfiltration, system manipulation, or further exploitation of connected browser automation tools.
Affected Products
- Microsoft Playwright MCP Server versions prior to 0.0.40
- Systems running local MCP server instances accessible via localhost
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-9611 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-9611
Vulnerability Analysis
This vulnerability falls under CWE-749 (Exposed Dangerous Method or Function), where the MCP server exposes sensitive tool endpoints without properly validating the origin of incoming requests. The Playwright MCP server is designed to facilitate browser automation through the Model Context Protocol, but prior to version 0.0.40, it failed to implement DNS rebinding protections.
DNS rebinding attacks exploit the way web browsers enforce the same-origin policy. An attacker can manipulate DNS resolution to initially point to an attacker-controlled server, then rebind to the victim's localhost address (127.0.0.1). Since the MCP server did not validate the Origin header, it would accept these malicious requests as legitimate, allowing attackers to invoke arbitrary MCP tool endpoints.
Root Cause
The root cause is the absence of Origin header validation and DNS rebinding protection mechanisms in the MCP server's request handling logic. The server blindly accepted connections without verifying whether the request originated from a trusted source, making it susceptible to cross-origin attacks performed through DNS rebinding techniques.
Attack Vector
The attack requires user interaction where a victim must visit a malicious website controlled by the attacker. The attack flow proceeds as follows:
- Victim visits attacker-controlled website
- Malicious JavaScript initiates requests to a domain with short TTL
- DNS resolution rebinds the domain from attacker's IP to victim's localhost (127.0.0.1)
- Browser sends requests to locally running MCP server thinking it's communicating with the original domain
- MCP server accepts requests without validating the Origin header
- Attacker gains unauthorized access to MCP tool endpoints, enabling arbitrary browser automation commands
// Security patch introducing allowedHosts for DNS rebinding protection
// Source: https://github.com/microsoft/playwright/commit/1313fbd
type ViewportSize = { width: number; height: number };
export type CLIOptions = {
+ allowedHosts?: string[];
allowedOrigins?: string[];
blockedOrigins?: string[];
blockServiceWorkers?: boolean;
// Configuration type definition for DNS rebinding protection
// Source: https://github.com/microsoft/playwright/commit/1313fbd
* The host to bind the server to. Default is localhost. Use 0.0.0.0 to bind to all interfaces.
*/
host?: string;
+ /**
+ * The hosts this server is allowed to serve from. Defaults to the host server is bound to.
+ * This is not for CORS, but rather for the DNS rebinding protection.
+ */
+ allowedHosts?: string[];
},
/**
Detection Methods for CVE-2025-9611
Indicators of Compromise
- Unexpected network connections to localhost MCP server ports from browser processes
- DNS queries with unusually short TTL values targeting local addresses
- MCP server logs showing requests with suspicious or mismatched Origin headers
- Anomalous browser automation activities not initiated by legitimate users
Detection Strategies
- Monitor network traffic for DNS rebinding patterns, including rapid DNS TTL changes and localhost resolution from external domains
- Implement logging on MCP server instances to capture and alert on requests with unusual Origin headers
- Deploy browser security extensions that detect and block DNS rebinding attempts
- Audit MCP server configurations to identify instances running without Origin validation
Monitoring Recommendations
- Enable verbose logging on Playwright MCP server instances to track incoming request origins
- Set up alerts for MCP tool endpoint invocations that originate from unexpected sources
- Monitor for suspicious JavaScript execution patterns in browser environments that interact with local services
- Review network security logs for patterns consistent with DNS rebinding reconnaissance
How to Mitigate CVE-2025-9611
Immediate Actions Required
- Upgrade Microsoft Playwright MCP Server to version 0.0.40 or later immediately
- Audit all systems running MCP server instances and verify version compliance
- Configure the allowedHosts parameter to explicitly restrict which hosts the server will accept connections from
- Review MCP server access logs for any signs of prior exploitation
Patch Information
Microsoft has addressed this vulnerability in Playwright MCP Server version 0.0.40 by introducing the allowedHosts configuration option. This security enhancement validates incoming connections against a whitelist of permitted hosts, effectively preventing DNS rebinding attacks. The fix is detailed in commit 1313fbd. Additional information is available in the GitHub Security Advisory and the VulnCheck Advisory.
Workarounds
- Restrict MCP server binding to localhost only and avoid binding to all interfaces (0.0.0.0)
- Implement network-level firewall rules to block external access to MCP server ports
- Use a reverse proxy with Origin header validation in front of MCP server instances
- Disable MCP server when not actively in use for browser automation tasks
# Configuration example - restrict MCP server to trusted hosts only
# In your Playwright MCP configuration, specify allowed hosts:
# Example configuration to mitigate DNS rebinding
export PLAYWRIGHT_MCP_ALLOWED_HOSTS="localhost,127.0.0.1"
# Alternatively, configure in your MCP server initialization:
# server: {
# host: 'localhost',
# allowedHosts: ['localhost', '127.0.0.1']
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
