CVE-2025-9611 is a vulnerability identified in Microsoft Playwright MCP Server versions before 0.0.40, classified under CWE-749 (Exposed Dangerous Method or Function). The core issue is the failure to validate the Origin header on incoming HTTP connections. This validation omission allows an attacker to perform a DNS rebinding attack, a technique where the attacker manipulates DNS responses to make a victim's browser interact with a local service (in this case, the MCP server) as if it were a legitimate remote service. By exploiting this, an attacker can send unauthorized HTTP requests to the MCP server running locally on the victim's machine, triggering unintended invocation of MCP tool endpoints. These endpoints may perform sensitive operations or expose internal functionality not meant to be accessible externally. The vulnerability does not require any prior authentication and can be triggered with minimal user interaction, typically just visiting a malicious webpage. The CVSS 4.0 score of 7.2 reflects a high severity, considering the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact covers confidentiality, integrity, and availability, with high impact on availability and integrity, and low on confidentiality. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the nature of the attack vector and the potential for local system compromise via browser-based attacks.

The vulnerability allows attackers to bypass same-origin policy protections by exploiting DNS rebinding, enabling unauthorized access to local MCP server endpoints. This can lead to unauthorized execution of commands or operations within the MCP tool, potentially compromising system integrity and availability. Confidential data exposure risk is lower but still present if sensitive information is accessible via these endpoints. The attack requires user interaction (visiting a malicious site), making social engineering a factor. Organizations relying on Playwright MCP Server for automation or testing may face disruption of services or unauthorized manipulation of their local environments. The broad use of Playwright in development environments globally increases the potential attack surface. If exploited at scale, this could lead to widespread disruption in development pipelines and local system compromise, especially in environments where local MCP servers are exposed or trusted implicitly by developers.

Until an official patch is released, organizations should implement network-level controls to restrict access to the MCP server, such as firewall rules limiting connections to localhost only. Browser security settings can be hardened to mitigate DNS rebinding attacks, including disabling or restricting DNS rebinding protections where possible. Developers should avoid running MCP servers on machines exposed to untrusted networks and educate users about the risks of visiting untrusted websites. Monitoring local MCP server logs for unusual or unauthorized requests can help detect exploitation attempts. Once patches become available, immediate application is critical. Additionally, implementing strict Origin header validation on the server side and employing Content Security Policy (CSP) headers to restrict resource loading can reduce attack vectors. Employing endpoint security solutions that detect anomalous local network traffic may also help mitigate exploitation.