Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73230?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73230?format=api", "purl": "pkg:npm/%40playwright/mcp@0.0.40", "type": "npm", "namespace": "@playwright", "name": "mcp", "version": "0.0.40", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49606?format=api", "vulnerability_id": "VCID-yf1n-2ee3-47dj", "summary": "Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools\nMicrosoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.", "references": [ { "reference_url": "https://github.com/microsoft/playwright/commit/1313fbd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/microsoft/playwright/commit/1313fbd" }, { "reference_url": "https://github.com/microsoft/playwright-mcp", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/microsoft/playwright-mcp" }, { "reference_url": "https://github.com/microsoft/playwright-mcp/issues/1206", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/microsoft/playwright-mcp/issues/1206" }, { "reference_url": "https://msrc.microsoft.com/report/vulnerability/VULN-164412", "reference_id": "", "reference_type": "", "scores": [], "url": "https://msrc.microsoft.com/report/vulnerability/VULN-164412" }, { "reference_url": "https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9611", "reference_id": "CVE-2025-9611", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9611" }, { "reference_url": "https://github.com/advisories/GHSA-6fg3-hvw7-2fwq", "reference_id": "GHSA-6fg3-hvw7-2fwq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6fg3-hvw7-2fwq" }, { "reference_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3", "reference_id": "GHSA-8rgw-6xp9-2fg3", "reference_type": "", "scores": [], "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73230?format=api", "purl": "pkg:npm/%40playwright/mcp@0.0.40", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540playwright/mcp@0.0.40" } ], "aliases": [ "CVE-2025-9611", "GHSA-6fg3-hvw7-2fwq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yf1n-2ee3-47dj" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540playwright/mcp@0.0.40" }