Playwright Spoofing Vulnerability
Description
Improper verification of cryptographic signature in Github: Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Playwright installer scripts use curl -k, disabling SSL verification, allowing MitM spoofing to deliver malicious browser packages.
Vulnerability
CVE-2025-59288 describes a flaw in Playwright's browser installation scripts where the -k (or --insecure) flag is passed to curl, disabling SSL certificate validation. This means that when these scripts download browser packages, they do not verify the authenticity of the SSL certificate presented by the server. The vulnerable scripts are located in packages/playwright-core/bin/ and include reinstall scripts for Chrome, Edge, and their variants [1][4].
Exploitation
An attacker with access to an adjacent network (e.g., through a compromised Wi-Fi or LAN connection) can perform a Man-in-the-Middle (MitM) attack. By intercepting the HTTPS request for a browser installer, the attacker can serve a malicious package instead of the legitimate one. Because curl -k bypasses certificate checks, the downloaded package is accepted and executed without any validation of its source [4]. No special privileges or user interaction beyond running the installer script is needed.
Impact
Successful exploitation allows the attacker to deliver arbitrary executables that are installed with system privileges (using sudo installer). This can lead to full system compromise, including remote code execution, data theft, and persistent malware installation. The vulnerability is particularly severe because browser packages are large, trusted by users, and installed with elevated permissions [4].
Mitigation
The issue has been addressed in a pull request [1] that removes the -k flag from the affected scripts. Users should update Playwright to the latest version to receive the fix. As a workaround, if updating is not immediately possible, ensure that scripts are executed only on trusted networks and avoid running them in untrusted environments.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
playwrightnpm | < 1.55.1 | 1.55.1 |
Affected products
1- Microsoft/microsoft/playwrightv5Range: 1.0.0
Patches
172c62d840247chore: do not use -k option (#37532)
5 files changed · +5 −5
packages/playwright-core/bin/reinstall_chrome_beta_mac.sh+1 −1 modified@@ -4,7 +4,7 @@ set -x rm -rf "/Applications/Google Chrome Beta.app" cd /tmp -curl --retry 3 -o ./googlechromebeta.dmg -k https://dl.google.com/chrome/mac/universal/beta/googlechromebeta.dmg +curl --retry 3 -o ./googlechromebeta.dmg https://dl.google.com/chrome/mac/universal/beta/googlechromebeta.dmg hdiutil attach -nobrowse -quiet -noautofsck -noautoopen -mountpoint /Volumes/googlechromebeta.dmg ./googlechromebeta.dmg cp -pR "/Volumes/googlechromebeta.dmg/Google Chrome Beta.app" /Applications hdiutil detach /Volumes/googlechromebeta.dmg
packages/playwright-core/bin/reinstall_chrome_stable_mac.sh+1 −1 modified@@ -4,7 +4,7 @@ set -x rm -rf "/Applications/Google Chrome.app" cd /tmp -curl --retry 3 -o ./googlechrome.dmg -k https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg +curl --retry 3 -o ./googlechrome.dmg https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg hdiutil attach -nobrowse -quiet -noautofsck -noautoopen -mountpoint /Volumes/googlechrome.dmg ./googlechrome.dmg cp -pR "/Volumes/googlechrome.dmg/Google Chrome.app" /Applications hdiutil detach /Volumes/googlechrome.dmg
packages/playwright-core/bin/reinstall_msedge_beta_mac.sh+1 −1 modified@@ -3,7 +3,7 @@ set -e set -x cd /tmp -curl --retry 3 -o ./msedge_beta.pkg -k "$1" +curl --retry 3 -o ./msedge_beta.pkg "$1" # Note: there's no way to uninstall previously installed MSEdge. # However, running PKG again seems to update installation. sudo installer -pkg /tmp/msedge_beta.pkg -target /
packages/playwright-core/bin/reinstall_msedge_dev_mac.sh+1 −1 modified@@ -3,7 +3,7 @@ set -e set -x cd /tmp -curl --retry 3 -o ./msedge_dev.pkg -k "$1" +curl --retry 3 -o ./msedge_dev.pkg "$1" # Note: there's no way to uninstall previously installed MSEdge. # However, running PKG again seems to update installation. sudo installer -pkg /tmp/msedge_dev.pkg -target /
packages/playwright-core/bin/reinstall_msedge_stable_mac.sh+1 −1 modified@@ -3,7 +3,7 @@ set -e set -x cd /tmp -curl --retry 3 -o ./msedge_stable.pkg -k "$1" +curl --retry 3 -o ./msedge_stable.pkg "$1" # Note: there's no way to uninstall previously installed MSEdge. # However, running PKG again seems to update installation. sudo installer -pkg /tmp/msedge_stable.pkg -target /
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7mvr-c777-76hpghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59288ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-59288ghsaADVISORY
- github.com/SocketDev/security-research/security/advisories/GHSA-qxm8-4v54-964rghsaWEB
- github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570ghsaWEB
- github.com/microsoft/playwright/pull/37532ghsaWEB
- github.com/microsoft/playwright/releases/tag/v1.55.1ghsaWEB
- github.com/microsoft/playwright/releases/tag/v1.56.0ghsaWEB
News mentions
0No linked articles in our index yet.