Provides browser automation capabilities via HTTP endpoints by wrapping the official Playwright MCP package, enabling serverless deployments and cloud environments where STDIO-based communication is not possible.
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
express vulnerable to XSS via response.redirect()
Express.js Open Redirect in malformed URLs
process.env. You'll be asked to provide them before it can run.ALLOWED_DOMAINSAUTH_SECRET_NAME— (none) GCP Secret Manager secret name (alternative to AUTH_TOKEN)AUTH_TOKEN— (none) Bearer token for authentication (required for production)CORS_ORIGIN— CORS allowed originsGCP_PROJECT_ID— (auto) GCP project ID (required if using AUTH_SECRET_NAME)GOOGLE_CLOUD_PROJECTLOG_LEVEL— info Logging level (error, warn, info, debug)MAX_CONCURRENT_BROWSERSMAX_SESSIONS— (unlimited) Maximum concurrent browser sessionsPLAYWRIGHT_BROWSER— chromium Browser type (chromium, firefox, webkit)PLAYWRIGHT_BROWSERS_PATHPLAYWRIGHT_BROWSER_ARGSPLAYWRIGHT_HEADLESS— true Run browser in headless modePORT— 8931 HTTP server portRATE_LIMIT_MAXRATE_LIMIT_WINDOW_MSREQUEST_TIMEOUT_MSSESSION_TIMEOUT— (none) Session timeout in seconds[](https://m8ven.ai/mcp/mcpmessenger-playwright-mcp-dcq18v)