Skip to content

[New Advisory] Full SSRF via Unvalidated API Request Tools in mcp-playwright #7257

New issue
New issue
Open
Open
[New Advisory] Full SSRF via Unvalidated API Request Tools in mcp-playwright#7257
@hacnho

Description

@hacnho
hacnho
opened on Mar 29, 2026

Advisory Details

Package: @anthropic-ai/mcp-playwright (npm) / executeautomation/mcp-playwright
Repository: https://github.com/executeautomation/mcp-playwright
CWE: CWE-918 (Server-Side Request Forgery)
Severity: High

Summary

The API request tools in mcp-playwright accept arbitrary URLs without any validation or filtering. This allows full SSRF attacks against internal services, cloud metadata endpoints, and localhost.

Details

The tools that make HTTP requests (e.g., API testing tools) accept user-supplied URLs and perform requests without any restriction on the target. There is no blocklist for internal IP ranges, cloud metadata endpoints, or localhost addresses. The requests are made from the server-side context.

PoC

  1. Use the API request tool to send a request to http://169.254.169.254/latest/meta-data/
  2. Cloud metadata is returned, including IAM credentials
  3. Similarly, http://127.0.0.1:6379 can reach internal Redis, databases, etc.

Impact

Full SSRF from the MCP server context. In cloud deployments, this enables stealing IAM credentials, accessing internal services, and scanning internal networks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions