Add GHSA-fhw2-h46x-v2mj: Arbitrary local file disclosure in @playwright/mcp

[mmzha2013]

Summary

Submitting GHSA-fhw2-h46x-v2mj for inclusion in the Advisory Database
under unreviewed/ for curation team review.

Advisory

• Source advisory: GHSA-fhw2-h46x-v2mj
• Affected package: @playwright/mcp (npm), versions <= 0.0.54
• Fixed version: 0.0.55 (published 2026-01-09)
• Fix commit: microsoft/playwright-mcp@d47197f4

Context

This advisory was published from my research repository rather than the official microsoft/playwright-mcp repository. I'm submitting via PR because:

1. MSRC declined to issue a CVE for the underlying issue (case VULN-166618, December 23, 2025) on the basis that Playwright MCP "is not designed to be a security boundary."

2. Despite that disposition, upstream subsequently merged commit d47197f4 on January 7, 2026, introducing allowUnrestrictedFileAccess (default false) — a default-on behavior change that directly blocks the exploit path described in the report. The source code comment accompanying the commit confirms its purpose ("prevent the LLM from accidentally wandering outside its intended workspace").

3. A CVE request submitted via my GHSA was declined on the basis that the request did not originate from the official package repository.

4. Users on @playwright/mcp <= 0.0.54 currently have no advisory signal in the GitHub Advisory Database and therefore no Dependabot coverage, despite a fixed version having been available for several months.

Verification

• PoC reproduction: tested against @playwright/mcp@0.0.47 (Microsoft official Docker image) and cloudflare/playwright-mcp@v0.0.5.
• Full PoC, execution trace, and timeline available in the source advisory linked above.

Notes

Placed under advisories/unreviewed/ to reflect that this advisory has not yet been reviewed by GitHub Security Lab. Happy to adjust the entry's wording, severity scoring, file location, or structure based on curation team feedback.

[mmzha2013]

Note: The "Processing advisory improvement" check failed because this PR submits a new advisory rather than improving an existing one. The automation appears to expect the GHSA ID to already exist in the database. Flagging this so curation team knows the failed check isn't a JSON validation issue — happy to adjust placement or format if a different submission path is preferred for new third-party advisories.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.