Microsoft's Playwright-MCP Server Has a Critical RCE Vulnerability

Frequently asked

What should a developer do if their team is running Playwright-MCP in a production agentic pipeline right now?

Disable or restrict access to `browser_run_code` immediately. The tool executes arbitrary JavaScript without input validation — exposure depends on whether your MCP server is reachable from untrusted input paths. Audit your agent's prompt chain for injection points, since any attacker who can influence agent input can trigger arbitrary server-side code execution through this tool.

Why do MCP tools like browser_run_code create security risks that traditional browser automation tools don't?

Traditional automation tools are invoked by deterministic code written by humans. MCP tools are invoked by AI agents whose input can be shaped by external data — web pages, user messages, retrieved documents. That makes prompt injection a live attack vector: an attacker who can influence what the agent reads can, through a vulnerable tool like `browser_run_code`, execute code on the server hosting the MCP service.

What is the strongest argument that this vulnerability is being overstated?

Playwright-MCP is developer tooling, not a production server runtime, and most deployments run it in sandboxed or local environments where the attack surface is limited. If your MCP server is not exposed to untrusted agent inputs, the practical risk is low. That argument holds for careful deployments — it does not hold for the enterprises now wiring MCP into customer-facing agentic pipelines.

More on this wire