CVE-2025-9611
medium
Microsoft EPSS Score
0.3%
Exploitation probability in 30 days
Top 52% most likely to be exploited
Vulnerability Report
Generated by CyberWatcher
Description
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.