NodeJS/playwright/1.18.0-alpha-jan-4-2022

A high-level API to automate web browsers

Repo Link: https://www.npmjs.com/package/playwright
License: Apache-2.0

1 Security Vulnerabilities

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Published date: 2025-10-14T18:30:36Z

CVE: CVE-2025-59288

Links:

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

An attacker performs a MitM attack on a network where the victim runs one of these scripts.
The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

Credit

This vulnerability was uncovered by tooling by Socket
This vulnerability was confirmed by @evilpacket
This vulnerability was reported by @JLLeitschuh at Socket

Disclosure

September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
September 11th, 2025 - Microsoft closed report as Complete - N/A
September 18th, 2025 - Following a LinkedIn Post

Affected versions: []

Secure versions: [1.55.1, 1.56.0, 1.56.0-alpha-1756475278000, 1.56.0-alpha-1756505518000, 1.56.0-alpha-1756945786000, 1.56.0-alpha-1757023974000, 1.56.0-alpha-1757090131000, 1.56.0-alpha-1757456950000, 1.56.0-alpha-1757464324000, 1.56.0-alpha-1757624765000, 1.56.0-alpha-1758061937000, 1.56.0-alpha-1758292576000, 1.56.0-alpha-1758747822000, 1.56.0-alpha-1758750661000, 1.56.0-alpha-1758818034000, 1.56.0-alpha-1758839353000, 1.56.0-alpha-1759271123000, 1.56.0-alpha-2025-08-20, 1.56.0-alpha-2025-08-21, 1.56.0-alpha-2025-08-22, 1.56.0-alpha-2025-08-23, 1.56.0-alpha-2025-08-24, 1.56.0-alpha-2025-08-25, 1.56.0-alpha-2025-08-26, 1.56.0-alpha-2025-08-27, 1.56.0-alpha-2025-08-28, 1.56.0-alpha-2025-08-29, 1.56.0-alpha-2025-08-30, 1.56.0-alpha-2025-08-31, 1.56.0-alpha-2025-09-01, 1.56.0-alpha-2025-09-02, 1.56.0-alpha-2025-09-03, 1.56.0-alpha-2025-09-04, 1.56.0-alpha-2025-09-05, 1.56.0-alpha-2025-09-06, 1.56.0-alpha-2025-09-07, 1.56.0-alpha-2025-09-08, 1.56.0-alpha-2025-09-09, 1.56.0-alpha-2025-09-10, 1.56.0-alpha-2025-09-11, 1.56.0-alpha-2025-09-12, 1.56.0-alpha-2025-09-13, 1.56.0-alpha-2025-09-14, 1.56.0-alpha-2025-09-15, 1.56.0-alpha-2025-09-16, 1.56.0-alpha-2025-09-17, 1.56.0-alpha-2025-09-18, 1.56.0-alpha-2025-09-20, 1.56.0-alpha-2025-09-21, 1.56.0-alpha-2025-09-22, 1.56.0-alpha-2025-09-23, 1.56.0-alpha-2025-09-24, 1.56.0-alpha-2025-09-25, 1.56.0-alpha-2025-09-26, 1.56.0-alpha-2025-09-27, 1.56.0-alpha-2025-09-28, 1.56.0-alpha-2025-09-29, 1.56.0-alpha-2025-09-30, 1.56.0-alpha-2025-10-01, 1.56.0-alpha-2025-10-02, 1.56.0-beta-1759412259000, 1.56.0-beta-1759435110000, 1.56.0-beta-1759451736000, 1.56.0-beta-1759527268000, 1.56.0-beta-1759754009000, 1.56.0-beta-1759755104000, 1.56.0-beta-1759756726000, 1.56.0-beta-1759761109000, 1.56.0-beta-1759771650000, 1.56.0-beta-1759861168000, 1.56.0-beta-1759867178000, 1.56.0-beta-1759868987000, 1.56.0-beta-1760652530000, 1.56.0-beta-1760659234000, 1.56.1, 1.56.1-beta-1760659320000, 1.56.1-beta-1760662108000, 1.56.1-beta-1761085025000, 1.57.0, 1.57.0-alpha-1760728340000, 1.57.0-alpha-1761929702000, 1.57.0-alpha-2025-10-03, 1.57.0-alpha-2025-10-04, 1.57.0-alpha-2025-10-05, 1.57.0-alpha-2025-10-06, 1.57.0-alpha-2025-10-07, 1.57.0-alpha-2025-10-08, 1.57.0-alpha-2025-10-09, 1.57.0-alpha-2025-10-10, 1.57.0-alpha-2025-10-11, 1.57.0-alpha-2025-10-12, 1.57.0-alpha-2025-10-13, 1.57.0-alpha-2025-10-14, 1.57.0-alpha-2025-10-15, 1.57.0-alpha-2025-10-16, 1.57.0-alpha-2025-10-17, 1.57.0-alpha-2025-10-18, 1.57.0-alpha-2025-10-19, 1.57.0-alpha-2025-10-20, 1.57.0-alpha-2025-10-21, 1.57.0-alpha-2025-10-22, 1.57.0-alpha-2025-10-23, 1.57.0-alpha-2025-10-24, 1.57.0-alpha-2025-10-25, 1.57.0-alpha-2025-10-26, 1.57.0-alpha-2025-10-27, 1.57.0-alpha-2025-10-28, 1.57.0-alpha-2025-10-29, 1.57.0-alpha-2025-10-30, 1.57.0-alpha-2025-10-31, 1.57.0-alpha-2025-11-01, 1.57.0-alpha-2025-11-02, 1.57.0-alpha-2025-11-03, 1.57.0-alpha-2025-11-04, 1.57.0-alpha-2025-11-05, 1.57.0-alpha-2025-11-06, 1.57.0-alpha-2025-11-07, 1.57.0-alpha-2025-11-08, 1.57.0-alpha-2025-11-09, 1.57.0-alpha-2025-11-10, 1.57.0-alpha-2025-11-11, 1.57.0-alpha-2025-11-12, 1.57.0-alpha-2025-11-13, 1.57.0-alpha-2025-11-14, 1.57.0-alpha-2025-11-15, 1.57.0-alpha-2025-11-16, 1.57.0-alpha-2025-11-17, 1.57.0-alpha-2025-11-18, 1.57.0-alpha-2025-11-19, 1.57.0-alpha-2025-11-20, 1.57.0-beta-1763649092000, 1.57.0-beta-1763718928000, 1.57.0-beta-1763739794000, 1.57.0-beta-1764065820000, 1.57.0-beta-1764069017000, 1.57.0-beta-1764692940000, 1.57.0-beta-1764944708000, 1.57.0-beta-1765994134000, 1.57.0-beta-1765994843000, 1.58.0, 1.58.0-alpha-1763757971000, 1.58.0-alpha-1764325208000, 1.58.0-alpha-1764682370000, 1.58.0-alpha-1764708599000, 1.58.0-alpha-1766189059000, 1.58.0-alpha-1766484475000, 1.58.0-alpha-1767864918000, 1.58.0-alpha-2025-11-21, 1.58.0-alpha-2025-11-22, 1.58.0-alpha-2025-11-23, 1.58.0-alpha-2025-11-24, 1.58.0-alpha-2025-11-25, 1.58.0-alpha-2025-11-26, 1.58.0-alpha-2025-11-27, 1.58.0-alpha-2025-11-28, 1.58.0-alpha-2025-11-29, 1.58.0-alpha-2025-11-30, 1.58.0-alpha-2025-12-01, 1.58.0-alpha-2025-12-02, 1.58.0-alpha-2025-12-03, 1.58.0-alpha-2025-12-04, 1.58.0-alpha-2025-12-05, 1.58.0-alpha-2025-12-06, 1.58.0-alpha-2025-12-07, 1.58.0-alpha-2025-12-08, 1.58.0-alpha-2025-12-09, 1.58.0-alpha-2025-12-10, 1.58.0-alpha-2025-12-11, 1.58.0-alpha-2025-12-12, 1.58.0-alpha-2025-12-13, 1.58.0-alpha-2025-12-14, 1.58.0-alpha-2025-12-15, 1.58.0-alpha-2025-12-16, 1.58.0-alpha-2025-12-17, 1.58.0-alpha-2025-12-18, 1.58.0-alpha-2025-12-19, 1.58.0-alpha-2025-12-20, 1.58.0-alpha-2025-12-21, 1.58.0-alpha-2025-12-22, 1.58.0-alpha-2025-12-23, 1.58.0-alpha-2025-12-24, 1.58.0-alpha-2025-12-25, 1.58.0-alpha-2025-12-26, 1.58.0-alpha-2025-12-27, 1.58.0-alpha-2025-12-28, 1.58.0-alpha-2025-12-29, 1.58.0-alpha-2025-12-30, 1.58.0-alpha-2025-12-31, 1.58.0-alpha-2026-01-01, 1.58.0-alpha-2026-01-02, 1.58.0-alpha-2026-01-03, 1.58.0-alpha-2026-01-04, 1.58.0-alpha-2026-01-05, 1.58.0-alpha-2026-01-06, 1.58.0-alpha-2026-01-07, 1.58.0-alpha-2026-01-08, 1.58.0-alpha-2026-01-09, 1.58.0-alpha-2026-01-10, 1.58.0-alpha-2026-01-11, 1.58.0-alpha-2026-01-12, 1.58.0-alpha-2026-01-13, 1.58.0-alpha-2026-01-14, 1.58.0-alpha-2026-01-15, 1.58.0-alpha-2026-01-16, 1.58.0-alpha-2026-01-17, 1.58.0-alpha-2026-01-18, 1.58.0-alpha-2026-01-19, 1.58.0-alpha-2026-01-20, 1.58.0-alpha-2026-01-21, 1.58.0-alpha-2026-01-22, 1.58.0-beta-1769095880000, 1.58.0-beta-1769164624000, 1.58.0-beta-1769640251000, 1.58.0-beta-1769780171000, 1.58.0-beta-1769780184000, 1.58.1, 1.58.1-beta-1769785134000, 1.58.1-beta-1769790992000, 1.58.1-beta-1770315402000, 1.58.1-beta-1770318439000, 1.58.1-beta-1770320340000, 1.58.2, 1.58.2-beta-1770322573000, 1.58.2-beta-1770385335000, 1.58.2-beta-1771982315000, 1.59.0, 1.59.0-alpha-1769176698000, 1.59.0-alpha-1769191051000, 1.59.0-alpha-1769208470000, 1.59.0-alpha-1769217009000, 1.59.0-alpha-1769364499000, 1.59.0-alpha-1769450964000, 1.59.0-alpha-1769452054000, 1.59.0-alpha-1769561805000, 1.59.0-alpha-1769649705000, 1.59.0-alpha-1769819922000, 1.59.0-alpha-1770084836000, 1.59.0-alpha-1770157258000, 1.59.0-alpha-1770286317000, 1.59.0-alpha-1770309616000, 1.59.0-alpha-1770338664000, 1.59.0-alpha-1770396925000, 1.59.0-alpha-1770400094000, 1.59.0-alpha-1770424401000, 1.59.0-alpha-1770426101000, 1.59.0-alpha-1771028105000, 1.59.0-alpha-1771041074000, 1.59.0-alpha-1771104257000, 1.59.0-alpha-1771260841000, 1.59.0-alpha-1773451864000, 1.59.0-alpha-1773598190000, 1.59.0-alpha-1773608981000, 1.59.0-alpha-1773706743000, 1.59.0-alpha-1773960956000, 1.59.0-alpha-1774017892000, 1.59.0-alpha-1774052454000, 1.59.0-alpha-1774287265000, 1.59.0-alpha-1774622285000, 1.59.0-alpha-1774656214000, 1.59.0-alpha-1774661115000, 1.59.0-alpha-1774903871000, 1.59.0-alpha-1774912654000, 1.59.0-alpha-2026-01-23, 1.59.0-alpha-2026-01-24, 1.59.0-alpha-2026-01-25, 1.59.0-alpha-2026-01-26, 1.59.0-alpha-2026-01-27, 1.59.0-alpha-2026-01-28, 1.59.0-alpha-2026-01-29, 1.59.0-alpha-2026-01-30, 1.59.0-alpha-2026-01-31, 1.59.0-alpha-2026-02-01, 1.59.0-alpha-2026-02-02, 1.59.0-alpha-2026-02-03, 1.59.0-alpha-2026-02-04, 1.59.0-alpha-2026-02-05, 1.59.0-alpha-2026-02-06, 1.59.0-alpha-2026-02-07, 1.59.0-alpha-2026-02-08, 1.59.0-alpha-2026-02-09, 1.59.0-alpha-2026-02-10, 1.59.0-alpha-2026-02-11, 1.59.0-alpha-2026-02-12, 1.59.0-alpha-2026-02-13, 1.59.0-alpha-2026-02-14, 1.59.0-alpha-2026-02-15, 1.59.0-alpha-2026-02-16, 1.59.0-alpha-2026-02-17, 1.59.0-alpha-2026-02-18, 1.59.0-alpha-2026-02-19, 1.59.0-alpha-2026-02-20, 1.59.0-alpha-2026-02-21, 1.59.0-alpha-2026-02-22, 1.59.0-alpha-2026-02-23, 1.59.0-alpha-2026-02-24, 1.59.0-alpha-2026-02-25, 1.59.0-alpha-2026-02-26, 1.59.0-alpha-2026-02-27, 1.59.0-alpha-2026-02-28, 1.59.0-alpha-2026-03-01, 1.59.0-alpha-2026-03-02, 1.59.0-alpha-2026-03-03, 1.59.0-alpha-2026-03-04, 1.59.0-alpha-2026-03-05, 1.59.0-alpha-2026-03-06, 1.59.0-alpha-2026-03-07, 1.59.0-alpha-2026-03-08, 1.59.0-alpha-2026-03-09, 1.59.0-alpha-2026-03-10, 1.59.0-alpha-2026-03-11, 1.59.0-alpha-2026-03-12, 1.59.0-alpha-2026-03-13, 1.59.0-alpha-2026-03-14, 1.59.0-alpha-2026-03-15, 1.59.0-alpha-2026-03-16, 1.59.0-alpha-2026-03-17, 1.59.0-alpha-2026-03-18, 1.59.0-alpha-2026-03-19, 1.59.0-alpha-2026-03-20, 1.59.0-alpha-2026-03-21, 1.59.0-alpha-2026-03-22, 1.59.0-alpha-2026-03-23, 1.59.0-alpha-2026-03-24, 1.59.0-alpha-2026-03-25, 1.59.0-alpha-2026-03-26, 1.59.0-alpha-2026-03-27, 1.59.0-alpha-2026-03-28, 1.59.0-alpha-2026-03-29, 1.59.0-alpha-2026-03-30, 1.59.0-beta-1774915887000, 1.59.0-beta-1774918830000, 1.59.0-beta-1774952471000, 1.59.0-beta-1774957992000, 1.59.0-beta-1774960396000, 1.59.0-beta-1774969283000, 1.59.0-beta-1774973666000, 1.59.0-beta-1774974568000, 1.59.0-beta-1774983340000, 1.59.0-beta-1774990462000, 1.59.0-beta-1774995564000, 1.59.0-beta-1774999371000, 1.59.0-beta-1775060947000, 1.59.0-beta-1775061558000, 1.59.1, 1.59.1-beta-1775063275000, 1.59.1-beta-1775097386000, 1.59.1-beta-1775752988000, 1.59.1-beta-1775762078000, 1.60.0-alpha-1774999321000, 1.60.0-alpha-1775059755000, 1.60.0-alpha-1775061447000, 1.60.0-alpha-1775180302000, 1.60.0-alpha-1775237291000, 1.60.0-alpha-1775258971000, 1.60.0-alpha-1775584683000, 1.60.0-alpha-1775674864000, 1.60.0-alpha-1775752697000, 1.60.0-alpha-1775931579000, 1.60.0-alpha-1775951570000, 1.60.0-alpha-2026-03-31, 1.60.0-alpha-2026-04-01, 1.60.0-alpha-2026-04-02, 1.60.0-alpha-2026-04-03, 1.60.0-alpha-2026-04-04, 1.60.0-alpha-2026-04-05, 1.60.0-alpha-2026-04-06, 1.60.0-alpha-2026-04-07, 1.60.0-alpha-2026-04-08, 1.60.0-alpha-2026-04-09, 1.60.0-alpha-2026-04-10, 1.60.0-alpha-2026-04-11, 1.60.0-alpha-2026-04-13]

Recommendation: Update to version 1.59.1.

5458 Other Versions

Version	License	Security	Released
1.8.0-next-1610064934000	Apache-2.0	1	2021-01-08 - 00:19	over 5 years
1.8.0-next-1610393454000	Apache-2.0	1	2021-01-11 - 19:37	over 5 years
1.8.0-next-1610404206000	Apache-2.0	1	2021-01-11 - 22:38	over 5 years
1.8.0-next-1610482467000	Apache-2.0	1	2021-01-12 - 20:17	about 5 years
1.8.0-next-1609890568000	Apache-2.0	1	2021-01-05 - 23:52	over 5 years
1.8.0-next-1609954302000	Apache-2.0	1	2021-01-06 - 17:34	over 5 years
1.8.0-next-1610132364000	Apache-2.0	1	2021-01-08 - 19:02	over 5 years
1.8.0-next-1610137674000	Apache-2.0	1	2021-01-08 - 20:31	over 5 years
1.8.0-next-1610149328000	Apache-2.0	1	2021-01-08 - 23:44	over 5 years
1.8.0-next-1610400995000	Apache-2.0	1	2021-01-11 - 21:38	over 5 years
1.8.0-next-1610586173000	Apache-2.0	1	2021-01-14 - 01:05	about 5 years
1.8.0-next-1609884287000	Apache-2.0	1	2021-01-05 - 22:07	over 5 years
1.8.0-next-1610123973000	Apache-2.0	1	2021-01-08 - 16:41	over 5 years
1.8.0-next-1610146814000	Apache-2.0	1	2021-01-08 - 23:05	over 5 years
1.8.0-next-1610151305000	Apache-2.0	1	2021-01-09 - 00:17	over 5 years
1.8.0-next-1610156177000	Apache-2.0	1	2021-01-09 - 01:38	over 5 years
1.8.0-next-1610341252000	Apache-2.0	1	2021-01-11 - 05:03	over 5 years
1.8.0-next-1610413079000	Apache-2.0	1	2021-01-12 - 01:00	over 5 years
1.8.0-next-1610418341000	Apache-2.0	1	2021-01-12 - 02:27	over 5 years
1.8.0-next-1610576742000	Apache-2.0	1	2021-01-13 - 22:28	about 5 years
1.8.0-next-1610594490000	Apache-2.0	1	2021-01-14 - 03:24	about 5 years
1.8.0-next-1609907510000	Apache-2.0	1	2021-01-06 - 04:33	over 5 years
1.8.0-next-1610054794000	Apache-2.0	1	2021-01-07 - 21:28	over 5 years
1.8.0-next-1610060049000	Apache-2.0	1	2021-01-07 - 22:56	over 5 years
1.8.0-next-1610151474000	Apache-2.0	1	2021-01-09 - 00:21	over 5 years
1.8.0-next-1610501508000	Apache-2.0	1	2021-01-13 - 01:34	about 5 years
1.8.0-next-1610600615000	Apache-2.0	1	2021-01-14 - 05:05	about 5 years
1.8.0-next-1609895143000	Apache-2.0	1	2021-01-06 - 01:07	over 5 years
1.8.0-next-1610048765000	Apache-2.0	1	2021-01-07 - 19:48	over 5 years
1.8.0-next-1610125974000	Apache-2.0	1	2021-01-08 - 17:15	over 5 years
1.8.0-next-1610386489000	Apache-2.0	1	2021-01-11 - 17:37	over 5 years
1.8.0-next-1610568494000	Apache-2.0	1	2021-01-13 - 20:10	about 5 years
1.8.0-next-1610651384000	Apache-2.0	1	2021-01-14 - 19:19	about 5 years
1.8.0-next-1610755301000	Apache-2.0	1	2021-01-16 - 00:04	about 5 years
1.8.0-next-1610765784000	Apache-2.0	1	2021-01-16 - 02:58	about 5 years
1.8.0-next-1611031213000	Apache-2.0	1	2021-01-19 - 04:42	about 5 years
1.8.0-next-1611077434000	Apache-2.0	1	2021-01-19 - 17:32	about 5 years
1.8.0-next-1610743985000	Apache-2.0	1	2021-01-15 - 20:55	about 5 years
1.8.0-next-1610836633000	Apache-2.0	1	2021-01-16 - 22:39	about 5 years
1.8.0-next-1610915139000	Apache-2.0	1	2021-01-17 - 20:28	about 5 years
1.8.0-next-1611093761000	Apache-2.0	1	2021-01-19 - 22:05	about 5 years
1.8.0-next-1610665299000	Apache-2.0	1	2021-01-14 - 23:03	about 5 years
1.8.0-next-1610742610000	Apache-2.0	1	2021-01-15 - 20:32	about 5 years
1.8.0-next-1610762359000	Apache-2.0	1	2021-01-16 - 02:01	about 5 years
1.8.0-next-1610808160000	Apache-2.0	1	2021-01-16 - 14:44	about 5 years
1.8.0-next-1611032356000	Apache-2.0	1	2021-01-19 - 05:01	about 5 years
1.8.0-next-1610750628000	Apache-2.0	1	2021-01-15 - 22:46	about 5 years
1.8.0-next-1610764255000	Apache-2.0	1	2021-01-16 - 02:33	about 5 years
1.8.0-next-1611082098000	Apache-2.0	1	2021-01-19 - 18:51	about 5 years
1.8.0-next-1610684162000	Apache-2.0	1	2021-01-15 - 04:18	about 5 years