tldr: Playwright MCP 0.0.77 and Playwright CLI 0.1.15 shipped within a day of each other in the last week of June, and both close the same gap: secrets you loaded for your AI agent could still leak in plain text through console log output. Here's what changed, why it took this long, and what still isn't covered.
Your agent's password was sitting in the console log
You did the right thing. You put your test credentials in a dotenv file, pointed --secrets at it, and told yourself the LLM would only ever see a placeholder.
For most of what the agent touched, that was true. Tool responses got the substitution. Network payloads got the substitution. Then a page under test called console.log() with a value that happened to match your secret, and the raw string showed up in the console log artifact anyway. Same session, same agent, same context window. The redaction you configured did not apply.
That's the gap Playwright MCP 0.0.77 and Playwright CLI 0.1.15 close. Both released in the final days of June, both carry the same line in their changelog: secrets get filtered out of console log output now.
What actually shipped
Microsoft ships two ways to hand an AI agent a browser: Playwright MCP, the Model Context Protocol server, and Playwright CLI, the shell-first tool built for coding agents. They're maintained by the same team and tend to ship related fixes close together, which is exactly what happened again here.
Playwright MCP 0.0.77 landed with:
- Secrets redacted in console log artifacts
- Data URL payloads excluded from snapshot and network output
- Failed network requests logged once instead of duplicated
- A configurable heartbeat timeout
Playwright CLI 0.1.15 landed a day later with:
- Secrets filtered out of console logs
- High-resolution screenshot capture (device pixels, not just CSS pixels)
- Update notifications when a newer CLI version is available
Neither release note calls this a security advisory. There's no CVE attached, and Microsoft's own security policy asks researchers to report vulnerabilities privately rather than as GitHub issues, so a quiet changelog line is the expected way a fix like this surfaces. But the practical effect is the same: a value you deliberately kept out of the model's context could still reach it through one specific tool, and now it can't.
Why this gap existed in the first place
Playwright MCP's --secrets option isn't new. You point it at a dotenv-format file, reference the keys as placeholders in your prompt, and the server resolves them server-side so the real value never has to appear in the conversation with the model. It's the standard answer whenever someone asks how to automate a login without pasting a password into an LLM's context.
The catch was scope. That substitution covered tool responses like page snapshots and form-fill confirmations. It did not extend to browser_console_messages, the tool that surfaces whatever the page itself logs to the console. If your app (or a third-party script running on it) logged an auth token during a request, or echoed a form value for debugging, that string went straight into the tool's output. The agent that was never supposed to see your credential in the first place would see it there instead, verbatim.
This isn't a hypothetical. Back in August 2025, a user filed an issue asking for exactly this kind of coverage: "real credentials never touch the model, only placeholders are visible to the LLM." Console log artifacts are precisely the case that request was worried about. Almost a year later, that specific path is covered.
It fits a pattern for this project. Playwright MCP has had its share of hard security lessons. Versions before 0.0.40 shipped without validating the Host header on incoming connections, which let a malicious website use DNS rebinding to send commands to a locally running MCP server (CVE-2025-9611). The fix added an allowedHosts option that checks the Host header on every request. There's also open discussion of remote-code-execution risk through prompt injection into browser_run_code_unsafe, a tool whose name is a deliberate warning label. None of that is directly related to this release. But it's the same theme repeating: a tool that hands an AI agent a real browser session has more attack surface than a tool that just runs your test suite, and the fixes keep coming in from the edges.
What this covers, and what it still doesn't
Be precise about the boundary, because it's easy to read "secrets redacted" and assume more than what shipped.
Covered now: console log messages, on both MCP and CLI. If a page logs a value matching one of your configured secrets, the tool output masks it instead of passing it through.
Still not covered by this release: anything outside the console log path. Playwright's trace files and HAR captures record full request and response bodies, including auth headers, and that has been a known gap for years, unrelated to the MCP secrets mechanism entirely. storageState exports serialize live session cookies and tokens as plain JSON, readable by anything with file access. And redaction is text-matching, not semantic. A secret that gets logged in an altered form (base64-encoded, partially concatenated, split across two log lines) may not match the pattern and won't get caught.
So this closes one real leak, not the category. If your threat model includes traces or storage state ending up somewhere they shouldn't, this release doesn't touch that.
What to actually do
If you're already running --secrets with Playwright MCP or CLI, upgrade. This is a strict improvement with no downside.
npm install -g @playwright/mcp@latest
npm install -g @playwright/cli@latest
Or bump the version numbers directly in your MCP client config if you're pinning a specific release.
If you're not using --secrets yet and your agent handles any authenticated flow, this is the moment to add it. Loading credentials as placeholders instead of typing them into a prompt was already the right call before this fix. Now it also covers the console log path, which was the most likely place for a plaintext leak to sneak through unnoticed, since nobody reviews console log output line by line the way they'd review a diff.
And if traces or HAR files are part of your pipeline, treat them as containing secrets by default. Restrict who can pull them from CI artifacts, and don't attach them to public bug reports without scrubbing first. That risk hasn't moved.
Where Bug0 fits
This whole category, keeping real credentials away from a model that's driving your tests, is something we've had to solve directly. Passmark, Bug0's open-source Playwright engine, resolves runtime values through a placeholder system: patterns like {{run.email}} or {{global.dynamicEmail}} get filled in at execution time, not written into the step description the AI reads. The AI plans and executes the flow. It doesn't need the literal password to do that, and it never sees one.
On Bug0 Managed, that same discipline extends to how your forward-deployed engineer sets up test credentials: a secrets vault you control, referenced by placeholder in the suite your FDE builds on Passmark. You get the coverage without your auth tokens passing through anyone's prompt history.
FAQs
What changed in Playwright MCP 0.0.77?
Playwright MCP 0.0.77 redacts secrets from console log artifacts, excludes data URL payloads from snapshot and network output, deduplicates repeated failed network request log entries, and adds a configurable heartbeat timeout. It shipped in the final days of June 2026.
What changed in Playwright CLI 0.1.15?
Playwright CLI 0.1.15 filters secrets out of console log output, adds high-resolution (device-pixel) screenshot capture, and adds update notifications when a newer CLI version is available. It shipped a day after Playwright MCP 0.0.77.
How does the --secrets option work in Playwright MCP?
You point --secrets (or the PLAYWRIGHT_MCP_SECRETS_FILE environment variable) at a dotenv-format file holding your credentials. The server replaces any matching plain text in tool responses before it reaches the model. Before 0.0.77, that substitution didn't extend to console log output, meaning a page that logged a matching value could still leak it in plain text. Microsoft's own docs are upfront that this is a convenience, not a guaranteed security boundary, so treat it as one layer, not the whole defense.
Does this fix cover Playwright traces and HAR files?
No. Traces and HAR captures record full request and response bodies, including auth headers and tokens, and that has been a known limitation for years, separate from the MCP secrets mechanism. If your pipeline generates traces or HAR files, treat them as sensitive artifacts regardless of this release.
Is this related to the Playwright MCP DNS rebinding CVE?
No, they're unrelated fixes. CVE-2025-9611 was a DNS rebinding vulnerability in versions before 0.0.40, patched by adding an allowedHosts option that validates the Host header on incoming connections. The console log redaction in 0.0.77 is a separate, later fix for a different leak path. Both point to the same underlying reality: an MCP server driving a real browser session carries more attack surface than a script-only test runner.
How does Bug0 handle test credentials?
Passmark, Bug0's open-source Playwright engine, injects runtime values through a placeholder system, so the AI resolving a test step never receives the literal credential. On Bug0 Managed, your forward-deployed engineer builds your suite against a secrets vault you control, referenced by placeholder rather than typed into a prompt.
Small changelog line, real gap closed. If you've been running an AI agent against an authenticated app with --secrets configured, this is the update that makes that setup actually mean what you thought it meant.





