NodeJS/playwright/1.25.0-alpha-1659639526000

A high-level API to automate web browsers

https://www.npmjs.com/package/playwright
Apache-2.0

1 Security Vulnerabilities

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Published date: 2025-10-14T18:30:36Z
CVE: CVE-2025-59288
Links:

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

  1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
  2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
  3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
  4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

Credit

  • This vulnerability was uncovered by tooling by Socket
  • This vulnerability was confirmed by @evilpacket
  • This vulnerability was reported by @JLLeitschuh at Socket

Disclosure

Affected versions: []
Secure versions: [1.55.1, 1.56.0, 1.56.0-alpha-1756475278000, 1.56.0-alpha-1756505518000, 1.56.0-alpha-1756945786000, 1.56.0-alpha-1757023974000, 1.56.0-alpha-1757090131000, 1.56.0-alpha-1757456950000, 1.56.0-alpha-1757464324000, 1.56.0-alpha-1757624765000, 1.56.0-alpha-1758061937000, 1.56.0-alpha-1758292576000, 1.56.0-alpha-1758747822000, 1.56.0-alpha-1758750661000, 1.56.0-alpha-1758818034000, 1.56.0-alpha-1758839353000, 1.56.0-alpha-1759271123000, 1.56.0-alpha-2025-08-20, 1.56.0-alpha-2025-08-21, 1.56.0-alpha-2025-08-22, 1.56.0-alpha-2025-08-23, 1.56.0-alpha-2025-08-24, 1.56.0-alpha-2025-08-25, 1.56.0-alpha-2025-08-26, 1.56.0-alpha-2025-08-27, 1.56.0-alpha-2025-08-28, 1.56.0-alpha-2025-08-29, 1.56.0-alpha-2025-08-30, 1.56.0-alpha-2025-08-31, 1.56.0-alpha-2025-09-01, 1.56.0-alpha-2025-09-02, 1.56.0-alpha-2025-09-03, 1.56.0-alpha-2025-09-04, 1.56.0-alpha-2025-09-05, 1.56.0-alpha-2025-09-06, 1.56.0-alpha-2025-09-07, 1.56.0-alpha-2025-09-08, 1.56.0-alpha-2025-09-09, 1.56.0-alpha-2025-09-10, 1.56.0-alpha-2025-09-11, 1.56.0-alpha-2025-09-12, 1.56.0-alpha-2025-09-13, 1.56.0-alpha-2025-09-14, 1.56.0-alpha-2025-09-15, 1.56.0-alpha-2025-09-16, 1.56.0-alpha-2025-09-17, 1.56.0-alpha-2025-09-18, 1.56.0-alpha-2025-09-20, 1.56.0-alpha-2025-09-21, 1.56.0-alpha-2025-09-22, 1.56.0-alpha-2025-09-23, 1.56.0-alpha-2025-09-24, 1.56.0-alpha-2025-09-25, 1.56.0-alpha-2025-09-26, 1.56.0-alpha-2025-09-27, 1.56.0-alpha-2025-09-28, 1.56.0-alpha-2025-09-29, 1.56.0-alpha-2025-09-30, 1.56.0-alpha-2025-10-01, 1.56.0-alpha-2025-10-02, 1.56.0-beta-1759412259000, 1.56.0-beta-1759435110000, 1.56.0-beta-1759451736000, 1.56.0-beta-1759527268000, 1.56.0-beta-1759754009000, 1.56.0-beta-1759755104000, 1.56.0-beta-1759756726000, 1.56.0-beta-1759761109000, 1.56.0-beta-1759771650000, 1.56.0-beta-1759861168000, 1.56.0-beta-1759867178000, 1.56.0-beta-1759868987000, 1.56.0-beta-1760652530000, 1.56.0-beta-1760659234000, 1.56.1, 1.56.1-beta-1760659320000, 1.56.1-beta-1760662108000, 1.56.1-beta-1761085025000, 1.57.0, 1.57.0-alpha-1760728340000, 1.57.0-alpha-1761929702000, 1.57.0-alpha-2025-10-03, 1.57.0-alpha-2025-10-04, 1.57.0-alpha-2025-10-05, 1.57.0-alpha-2025-10-06, 1.57.0-alpha-2025-10-07, 1.57.0-alpha-2025-10-08, 1.57.0-alpha-2025-10-09, 1.57.0-alpha-2025-10-10, 1.57.0-alpha-2025-10-11, 1.57.0-alpha-2025-10-12, 1.57.0-alpha-2025-10-13, 1.57.0-alpha-2025-10-14, 1.57.0-alpha-2025-10-15, 1.57.0-alpha-2025-10-16, 1.57.0-alpha-2025-10-17, 1.57.0-alpha-2025-10-18, 1.57.0-alpha-2025-10-19, 1.57.0-alpha-2025-10-20, 1.57.0-alpha-2025-10-21, 1.57.0-alpha-2025-10-22, 1.57.0-alpha-2025-10-23, 1.57.0-alpha-2025-10-24, 1.57.0-alpha-2025-10-25, 1.57.0-alpha-2025-10-26, 1.57.0-alpha-2025-10-27, 1.57.0-alpha-2025-10-28, 1.57.0-alpha-2025-10-29, 1.57.0-alpha-2025-10-30, 1.57.0-alpha-2025-10-31, 1.57.0-alpha-2025-11-01, 1.57.0-alpha-2025-11-02, 1.57.0-alpha-2025-11-03, 1.57.0-alpha-2025-11-04, 1.57.0-alpha-2025-11-05, 1.57.0-alpha-2025-11-06, 1.57.0-alpha-2025-11-07, 1.57.0-alpha-2025-11-08, 1.57.0-alpha-2025-11-09, 1.57.0-alpha-2025-11-10, 1.57.0-alpha-2025-11-11, 1.57.0-alpha-2025-11-12, 1.57.0-alpha-2025-11-13, 1.57.0-alpha-2025-11-14, 1.57.0-alpha-2025-11-15, 1.57.0-alpha-2025-11-16, 1.57.0-alpha-2025-11-17, 1.57.0-alpha-2025-11-18, 1.57.0-alpha-2025-11-19, 1.57.0-alpha-2025-11-20, 1.57.0-beta-1763649092000, 1.57.0-beta-1763718928000, 1.57.0-beta-1763739794000, 1.57.0-beta-1764065820000, 1.57.0-beta-1764069017000, 1.57.0-beta-1764692940000, 1.57.0-beta-1764944708000, 1.57.0-beta-1765994134000, 1.57.0-beta-1765994843000, 1.58.0, 1.58.0-alpha-1763757971000, 1.58.0-alpha-1764325208000, 1.58.0-alpha-1764682370000, 1.58.0-alpha-1764708599000, 1.58.0-alpha-1766189059000, 1.58.0-alpha-1766484475000, 1.58.0-alpha-1767864918000, 1.58.0-alpha-2025-11-21, 1.58.0-alpha-2025-11-22, 1.58.0-alpha-2025-11-23, 1.58.0-alpha-2025-11-24, 1.58.0-alpha-2025-11-25, 1.58.0-alpha-2025-11-26, 1.58.0-alpha-2025-11-27, 1.58.0-alpha-2025-11-28, 1.58.0-alpha-2025-11-29, 1.58.0-alpha-2025-11-30, 1.58.0-alpha-2025-12-01, 1.58.0-alpha-2025-12-02, 1.58.0-alpha-2025-12-03, 1.58.0-alpha-2025-12-04, 1.58.0-alpha-2025-12-05, 1.58.0-alpha-2025-12-06, 1.58.0-alpha-2025-12-07, 1.58.0-alpha-2025-12-08, 1.58.0-alpha-2025-12-09, 1.58.0-alpha-2025-12-10, 1.58.0-alpha-2025-12-11, 1.58.0-alpha-2025-12-12, 1.58.0-alpha-2025-12-13, 1.58.0-alpha-2025-12-14, 1.58.0-alpha-2025-12-15, 1.58.0-alpha-2025-12-16, 1.58.0-alpha-2025-12-17, 1.58.0-alpha-2025-12-18, 1.58.0-alpha-2025-12-19, 1.58.0-alpha-2025-12-20, 1.58.0-alpha-2025-12-21, 1.58.0-alpha-2025-12-22, 1.58.0-alpha-2025-12-23, 1.58.0-alpha-2025-12-24, 1.58.0-alpha-2025-12-25, 1.58.0-alpha-2025-12-26, 1.58.0-alpha-2025-12-27, 1.58.0-alpha-2025-12-28, 1.58.0-alpha-2025-12-29, 1.58.0-alpha-2025-12-30, 1.58.0-alpha-2025-12-31, 1.58.0-alpha-2026-01-01, 1.58.0-alpha-2026-01-02, 1.58.0-alpha-2026-01-03, 1.58.0-alpha-2026-01-04, 1.58.0-alpha-2026-01-05, 1.58.0-alpha-2026-01-06, 1.58.0-alpha-2026-01-07, 1.58.0-alpha-2026-01-08, 1.58.0-alpha-2026-01-09, 1.58.0-alpha-2026-01-10, 1.58.0-alpha-2026-01-11, 1.58.0-alpha-2026-01-12, 1.58.0-alpha-2026-01-13, 1.58.0-alpha-2026-01-14, 1.58.0-alpha-2026-01-15, 1.58.0-alpha-2026-01-16, 1.58.0-alpha-2026-01-17, 1.58.0-alpha-2026-01-18, 1.58.0-alpha-2026-01-19, 1.58.0-alpha-2026-01-20, 1.58.0-alpha-2026-01-21, 1.58.0-alpha-2026-01-22, 1.58.0-beta-1769095880000, 1.58.0-beta-1769164624000, 1.58.0-beta-1769640251000, 1.58.0-beta-1769780171000, 1.58.0-beta-1769780184000, 1.58.1, 1.58.1-beta-1769785134000, 1.58.1-beta-1769790992000, 1.58.1-beta-1770315402000, 1.58.1-beta-1770318439000, 1.58.1-beta-1770320340000, 1.58.2, 1.58.2-beta-1770322573000, 1.58.2-beta-1770385335000, 1.58.2-beta-1771982315000, 1.59.0, 1.59.0-alpha-1769176698000, 1.59.0-alpha-1769191051000, 1.59.0-alpha-1769208470000, 1.59.0-alpha-1769217009000, 1.59.0-alpha-1769364499000, 1.59.0-alpha-1769450964000, 1.59.0-alpha-1769452054000, 1.59.0-alpha-1769561805000, 1.59.0-alpha-1769649705000, 1.59.0-alpha-1769819922000, 1.59.0-alpha-1770084836000, 1.59.0-alpha-1770157258000, 1.59.0-alpha-1770286317000, 1.59.0-alpha-1770309616000, 1.59.0-alpha-1770338664000, 1.59.0-alpha-1770396925000, 1.59.0-alpha-1770400094000, 1.59.0-alpha-1770424401000, 1.59.0-alpha-1770426101000, 1.59.0-alpha-1771028105000, 1.59.0-alpha-1771041074000, 1.59.0-alpha-1771104257000, 1.59.0-alpha-1771260841000, 1.59.0-alpha-1773451864000, 1.59.0-alpha-1773598190000, 1.59.0-alpha-1773608981000, 1.59.0-alpha-1773706743000, 1.59.0-alpha-1773960956000, 1.59.0-alpha-1774017892000, 1.59.0-alpha-1774052454000, 1.59.0-alpha-1774287265000, 1.59.0-alpha-1774622285000, 1.59.0-alpha-1774656214000, 1.59.0-alpha-1774661115000, 1.59.0-alpha-1774903871000, 1.59.0-alpha-1774912654000, 1.59.0-alpha-2026-01-23, 1.59.0-alpha-2026-01-24, 1.59.0-alpha-2026-01-25, 1.59.0-alpha-2026-01-26, 1.59.0-alpha-2026-01-27, 1.59.0-alpha-2026-01-28, 1.59.0-alpha-2026-01-29, 1.59.0-alpha-2026-01-30, 1.59.0-alpha-2026-01-31, 1.59.0-alpha-2026-02-01, 1.59.0-alpha-2026-02-02, 1.59.0-alpha-2026-02-03, 1.59.0-alpha-2026-02-04, 1.59.0-alpha-2026-02-05, 1.59.0-alpha-2026-02-06, 1.59.0-alpha-2026-02-07, 1.59.0-alpha-2026-02-08, 1.59.0-alpha-2026-02-09, 1.59.0-alpha-2026-02-10, 1.59.0-alpha-2026-02-11, 1.59.0-alpha-2026-02-12, 1.59.0-alpha-2026-02-13, 1.59.0-alpha-2026-02-14, 1.59.0-alpha-2026-02-15, 1.59.0-alpha-2026-02-16, 1.59.0-alpha-2026-02-17, 1.59.0-alpha-2026-02-18, 1.59.0-alpha-2026-02-19, 1.59.0-alpha-2026-02-20, 1.59.0-alpha-2026-02-21, 1.59.0-alpha-2026-02-22, 1.59.0-alpha-2026-02-23, 1.59.0-alpha-2026-02-24, 1.59.0-alpha-2026-02-25, 1.59.0-alpha-2026-02-26, 1.59.0-alpha-2026-02-27, 1.59.0-alpha-2026-02-28, 1.59.0-alpha-2026-03-01, 1.59.0-alpha-2026-03-02, 1.59.0-alpha-2026-03-03, 1.59.0-alpha-2026-03-04, 1.59.0-alpha-2026-03-05, 1.59.0-alpha-2026-03-06, 1.59.0-alpha-2026-03-07, 1.59.0-alpha-2026-03-08, 1.59.0-alpha-2026-03-09, 1.59.0-alpha-2026-03-10, 1.59.0-alpha-2026-03-11, 1.59.0-alpha-2026-03-12, 1.59.0-alpha-2026-03-13, 1.59.0-alpha-2026-03-14, 1.59.0-alpha-2026-03-15, 1.59.0-alpha-2026-03-16, 1.59.0-alpha-2026-03-17, 1.59.0-alpha-2026-03-18, 1.59.0-alpha-2026-03-19, 1.59.0-alpha-2026-03-20, 1.59.0-alpha-2026-03-21, 1.59.0-alpha-2026-03-22, 1.59.0-alpha-2026-03-23, 1.59.0-alpha-2026-03-24, 1.59.0-alpha-2026-03-25, 1.59.0-alpha-2026-03-26, 1.59.0-alpha-2026-03-27, 1.59.0-alpha-2026-03-28, 1.59.0-alpha-2026-03-29, 1.59.0-alpha-2026-03-30, 1.59.0-beta-1774915887000, 1.59.0-beta-1774918830000, 1.59.0-beta-1774952471000, 1.59.0-beta-1774957992000, 1.59.0-beta-1774960396000, 1.59.0-beta-1774969283000, 1.59.0-beta-1774973666000, 1.59.0-beta-1774974568000, 1.59.0-beta-1774983340000, 1.59.0-beta-1774990462000, 1.59.0-beta-1774995564000, 1.59.0-beta-1774999371000, 1.59.0-beta-1775060947000, 1.59.0-beta-1775061558000, 1.59.1, 1.59.1-beta-1775063275000, 1.59.1-beta-1775097386000, 1.59.1-beta-1775752988000, 1.59.1-beta-1775762078000, 1.60.0-alpha-1774999321000, 1.60.0-alpha-1775059755000, 1.60.0-alpha-1775061447000, 1.60.0-alpha-1775180302000, 1.60.0-alpha-1775237291000, 1.60.0-alpha-1775258971000, 1.60.0-alpha-1775584683000, 1.60.0-alpha-1775674864000, 1.60.0-alpha-1775752697000, 1.60.0-alpha-1775931579000, 1.60.0-alpha-1775951570000, 1.60.0-alpha-2026-03-31, 1.60.0-alpha-2026-04-01, 1.60.0-alpha-2026-04-02, 1.60.0-alpha-2026-04-03, 1.60.0-alpha-2026-04-04, 1.60.0-alpha-2026-04-05, 1.60.0-alpha-2026-04-06, 1.60.0-alpha-2026-04-07, 1.60.0-alpha-2026-04-08, 1.60.0-alpha-2026-04-09, 1.60.0-alpha-2026-04-10, 1.60.0-alpha-2026-04-11, 1.60.0-alpha-2026-04-13]
Recommendation: Update to version 1.59.1.

5458 Other Versions

Version License Security Released
1.5.0-next.1603087355662 Apache-2.0 1 2020-10-19 - 06:02 over 5 years
1.5.0-next.1602867974353 Apache-2.0 1 2020-10-16 - 17:06 over 5 years
1.5.0-next.1602861464393 Apache-2.0 1 2020-10-16 - 15:17 over 5 years
1.5.0-next.1602837014187 Apache-2.0 1 2020-10-16 - 08:30 over 5 years
1.5.0-next.1602797475811 Apache-2.0 1 2020-10-15 - 21:31 over 5 years
1.5.0-next.1602795082205 Apache-2.0 1 2020-10-15 - 20:51 over 5 years
1.5.0-next.1602783231957 Apache-2.0 1 2020-10-15 - 17:34 over 5 years
1.5.0-next.1602780837095 Apache-2.0 1 2020-10-15 - 16:54 over 5 years
1.5.0-next.1602777285416 Apache-2.0 1 2020-10-15 - 15:55 over 5 years
1.5.0-next.1602757854270 Apache-2.0 1 2020-10-15 - 10:31 over 5 years
1.5.0-next.1602739732047 Apache-2.0 1 2020-10-15 - 05:29 over 5 years
1.5.0-next.1602717398967 Apache-2.0 1 2020-10-14 - 23:16 over 5 years
1.5.0-next.1602713485778 Apache-2.0 1 2020-10-14 - 22:11 over 5 years
1.5.0-next.1602713090854 Apache-2.0 1 2020-10-14 - 22:05 over 5 years
1.5.0-next.1602709974612 Apache-2.0 1 2020-10-14 - 21:13 over 5 years
1.5.0-next.1602697602857 Apache-2.0 1 2020-10-14 - 17:46 over 5 years
1.5.0-next.1602697077618 Apache-2.0 1 2020-10-14 - 17:38 over 5 years
1.5.0-next.1602693509937 Apache-2.0 1 2020-10-14 - 16:38 over 5 years
1.5.0-next.1602680104325 Apache-2.0 1 2020-10-14 - 12:55 over 5 years
1.5.0-next.1602654218274 Apache-2.0 1 2020-10-14 - 05:43 over 5 years
1.5.0-next.1602652687944 Apache-2.0 1 2020-10-14 - 05:18 over 5 years
1.5.0-next.1602620459835 Apache-2.0 1 2020-10-13 - 20:21 over 5 years
1.5.0-next.1602617198311 Apache-2.0 1 2020-10-13 - 19:26 over 5 years
1.5.0-next.1602616819317 Apache-2.0 1 2020-10-13 - 19:20 over 5 years
1.5.0-next.1602614758875 Apache-2.0 1 2020-10-13 - 18:46 over 5 years
1.5.0-next.1602614121721 Apache-2.0 1 2020-10-13 - 18:35 over 5 years
1.5.0-next.1602606939387 Apache-2.0 1 2020-10-13 - 16:35 over 5 years
1.5.0-next.1602604894123 Apache-2.0 1 2020-10-13 - 16:01 over 5 years
1.5.0-next.1602567394434 Apache-2.0 1 2020-10-13 - 05:36 over 5 years
1.5.0-next.1602564829195 Apache-2.0 1 2020-10-13 - 04:54 over 5 years
1.5.0-next.1602552387242 Apache-2.0 1 2020-10-13 - 01:26 over 5 years
1.5.0-next.1602552164093 Apache-2.0 1 2020-10-13 - 01:22 over 5 years
1.6.2 Apache-2.0 1 2020-11-17 - 21:04 over 5 years
1.6.1 Apache-2.0 1 2020-11-13 - 02:55 over 5 years
1.6.0 Apache-2.0 1 2020-11-12 - 22:56 over 5 years
1.4.2-next.1600904063807 Apache-2.0 1 2020-09-23 - 23:34 over 5 years
1.4.0-next.1602542830200 Apache-2.0 1 2020-10-12 - 22:47 over 5 years
1.4.0-next.1602538162833 Apache-2.0 1 2020-10-12 - 21:29 over 5 years
1.4.0-next.1602535879673 Apache-2.0 1 2020-10-12 - 20:51 over 5 years
1.4.0-next.1602519496667 Apache-2.0 1 2020-10-12 - 16:18 over 5 years
1.4.0-next.1602392011053 Apache-2.0 1 2020-10-11 - 04:53 over 5 years
1.4.0-next.1602285232813 Apache-2.0 1 2020-10-09 - 23:14 over 5 years
1.4.0-next.1602284292050 Apache-2.0 1 2020-10-09 - 22:58 over 5 years
1.4.0-next.1602274092905 Apache-2.0 1 2020-10-09 - 20:08 over 5 years
1.4.0-next.1602269246657 Apache-2.0 1 2020-10-09 - 18:47 over 5 years
1.4.0-next.1602268229295 Apache-2.0 1 2020-10-09 - 18:30 over 5 years
1.4.0-next.1602267320780 Apache-2.0 1 2020-10-09 - 18:15 over 5 years
1.4.0-next.1602261306397 Apache-2.0 1 2020-10-09 - 16:35 over 5 years
1.4.0-next.1602221421021 Apache-2.0 1 2020-10-09 - 05:30 over 5 years
1.4.0-next.1602219946954 Apache-2.0 1 2020-10-09 - 05:06 over 5 years