NodeJS/playwright/1.5.0-next.1603759343720

A high-level API to automate web browsers

https://www.npmjs.com/package/playwright
Apache-2.0

1 Security Vulnerabilities

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Published date: 2025-10-14T18:30:36Z
CVE: CVE-2025-59288
Links:

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

  1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
  2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
  3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
  4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

Credit

  • This vulnerability was uncovered by tooling by Socket
  • This vulnerability was confirmed by @evilpacket
  • This vulnerability was reported by @JLLeitschuh at Socket

Disclosure

Affected versions: []
Secure versions: [1.55.1, 1.56.0, 1.56.0-alpha-1756475278000, 1.56.0-alpha-1756505518000, 1.56.0-alpha-1756945786000, 1.56.0-alpha-1757023974000, 1.56.0-alpha-1757090131000, 1.56.0-alpha-1757456950000, 1.56.0-alpha-1757464324000, 1.56.0-alpha-1757624765000, 1.56.0-alpha-1758061937000, 1.56.0-alpha-1758292576000, 1.56.0-alpha-1758747822000, 1.56.0-alpha-1758750661000, 1.56.0-alpha-1758818034000, 1.56.0-alpha-1758839353000, 1.56.0-alpha-1759271123000, 1.56.0-alpha-2025-08-20, 1.56.0-alpha-2025-08-21, 1.56.0-alpha-2025-08-22, 1.56.0-alpha-2025-08-23, 1.56.0-alpha-2025-08-24, 1.56.0-alpha-2025-08-25, 1.56.0-alpha-2025-08-26, 1.56.0-alpha-2025-08-27, 1.56.0-alpha-2025-08-28, 1.56.0-alpha-2025-08-29, 1.56.0-alpha-2025-08-30, 1.56.0-alpha-2025-08-31, 1.56.0-alpha-2025-09-01, 1.56.0-alpha-2025-09-02, 1.56.0-alpha-2025-09-03, 1.56.0-alpha-2025-09-04, 1.56.0-alpha-2025-09-05, 1.56.0-alpha-2025-09-06, 1.56.0-alpha-2025-09-07, 1.56.0-alpha-2025-09-08, 1.56.0-alpha-2025-09-09, 1.56.0-alpha-2025-09-10, 1.56.0-alpha-2025-09-11, 1.56.0-alpha-2025-09-12, 1.56.0-alpha-2025-09-13, 1.56.0-alpha-2025-09-14, 1.56.0-alpha-2025-09-15, 1.56.0-alpha-2025-09-16, 1.56.0-alpha-2025-09-17, 1.56.0-alpha-2025-09-18, 1.56.0-alpha-2025-09-20, 1.56.0-alpha-2025-09-21, 1.56.0-alpha-2025-09-22, 1.56.0-alpha-2025-09-23, 1.56.0-alpha-2025-09-24, 1.56.0-alpha-2025-09-25, 1.56.0-alpha-2025-09-26, 1.56.0-alpha-2025-09-27, 1.56.0-alpha-2025-09-28, 1.56.0-alpha-2025-09-29, 1.56.0-alpha-2025-09-30, 1.56.0-alpha-2025-10-01, 1.56.0-alpha-2025-10-02, 1.56.0-beta-1759412259000, 1.56.0-beta-1759435110000, 1.56.0-beta-1759451736000, 1.56.0-beta-1759527268000, 1.56.0-beta-1759754009000, 1.56.0-beta-1759755104000, 1.56.0-beta-1759756726000, 1.56.0-beta-1759761109000, 1.56.0-beta-1759771650000, 1.56.0-beta-1759861168000, 1.56.0-beta-1759867178000, 1.56.0-beta-1759868987000, 1.56.0-beta-1760652530000, 1.56.0-beta-1760659234000, 1.56.1, 1.56.1-beta-1760659320000, 1.56.1-beta-1760662108000, 1.56.1-beta-1761085025000, 1.57.0, 1.57.0-alpha-1760728340000, 1.57.0-alpha-1761929702000, 1.57.0-alpha-2025-10-03, 1.57.0-alpha-2025-10-04, 1.57.0-alpha-2025-10-05, 1.57.0-alpha-2025-10-06, 1.57.0-alpha-2025-10-07, 1.57.0-alpha-2025-10-08, 1.57.0-alpha-2025-10-09, 1.57.0-alpha-2025-10-10, 1.57.0-alpha-2025-10-11, 1.57.0-alpha-2025-10-12, 1.57.0-alpha-2025-10-13, 1.57.0-alpha-2025-10-14, 1.57.0-alpha-2025-10-15, 1.57.0-alpha-2025-10-16, 1.57.0-alpha-2025-10-17, 1.57.0-alpha-2025-10-18, 1.57.0-alpha-2025-10-19, 1.57.0-alpha-2025-10-20, 1.57.0-alpha-2025-10-21, 1.57.0-alpha-2025-10-22, 1.57.0-alpha-2025-10-23, 1.57.0-alpha-2025-10-24, 1.57.0-alpha-2025-10-25, 1.57.0-alpha-2025-10-26, 1.57.0-alpha-2025-10-27, 1.57.0-alpha-2025-10-28, 1.57.0-alpha-2025-10-29, 1.57.0-alpha-2025-10-30, 1.57.0-alpha-2025-10-31, 1.57.0-alpha-2025-11-01, 1.57.0-alpha-2025-11-02, 1.57.0-alpha-2025-11-03, 1.57.0-alpha-2025-11-04, 1.57.0-alpha-2025-11-05, 1.57.0-alpha-2025-11-06, 1.57.0-alpha-2025-11-07, 1.57.0-alpha-2025-11-08, 1.57.0-alpha-2025-11-09, 1.57.0-alpha-2025-11-10, 1.57.0-alpha-2025-11-11, 1.57.0-alpha-2025-11-12, 1.57.0-alpha-2025-11-13, 1.57.0-alpha-2025-11-14, 1.57.0-alpha-2025-11-15, 1.57.0-alpha-2025-11-16, 1.57.0-alpha-2025-11-17, 1.57.0-alpha-2025-11-18, 1.57.0-alpha-2025-11-19, 1.57.0-alpha-2025-11-20, 1.57.0-beta-1763649092000, 1.57.0-beta-1763718928000, 1.57.0-beta-1763739794000, 1.57.0-beta-1764065820000, 1.57.0-beta-1764069017000, 1.57.0-beta-1764692940000, 1.57.0-beta-1764944708000, 1.57.0-beta-1765994134000, 1.57.0-beta-1765994843000, 1.58.0, 1.58.0-alpha-1763757971000, 1.58.0-alpha-1764325208000, 1.58.0-alpha-1764682370000, 1.58.0-alpha-1764708599000, 1.58.0-alpha-1766189059000, 1.58.0-alpha-1766484475000, 1.58.0-alpha-1767864918000, 1.58.0-alpha-2025-11-21, 1.58.0-alpha-2025-11-22, 1.58.0-alpha-2025-11-23, 1.58.0-alpha-2025-11-24, 1.58.0-alpha-2025-11-25, 1.58.0-alpha-2025-11-26, 1.58.0-alpha-2025-11-27, 1.58.0-alpha-2025-11-28, 1.58.0-alpha-2025-11-29, 1.58.0-alpha-2025-11-30, 1.58.0-alpha-2025-12-01, 1.58.0-alpha-2025-12-02, 1.58.0-alpha-2025-12-03, 1.58.0-alpha-2025-12-04, 1.58.0-alpha-2025-12-05, 1.58.0-alpha-2025-12-06, 1.58.0-alpha-2025-12-07, 1.58.0-alpha-2025-12-08, 1.58.0-alpha-2025-12-09, 1.58.0-alpha-2025-12-10, 1.58.0-alpha-2025-12-11, 1.58.0-alpha-2025-12-12, 1.58.0-alpha-2025-12-13, 1.58.0-alpha-2025-12-14, 1.58.0-alpha-2025-12-15, 1.58.0-alpha-2025-12-16, 1.58.0-alpha-2025-12-17, 1.58.0-alpha-2025-12-18, 1.58.0-alpha-2025-12-19, 1.58.0-alpha-2025-12-20, 1.58.0-alpha-2025-12-21, 1.58.0-alpha-2025-12-22, 1.58.0-alpha-2025-12-23, 1.58.0-alpha-2025-12-24, 1.58.0-alpha-2025-12-25, 1.58.0-alpha-2025-12-26, 1.58.0-alpha-2025-12-27, 1.58.0-alpha-2025-12-28, 1.58.0-alpha-2025-12-29, 1.58.0-alpha-2025-12-30, 1.58.0-alpha-2025-12-31, 1.58.0-alpha-2026-01-01, 1.58.0-alpha-2026-01-02, 1.58.0-alpha-2026-01-03, 1.58.0-alpha-2026-01-04, 1.58.0-alpha-2026-01-05, 1.58.0-alpha-2026-01-06, 1.58.0-alpha-2026-01-07, 1.58.0-alpha-2026-01-08, 1.58.0-alpha-2026-01-09, 1.58.0-alpha-2026-01-10, 1.58.0-alpha-2026-01-11, 1.58.0-alpha-2026-01-12, 1.58.0-alpha-2026-01-13, 1.58.0-alpha-2026-01-14, 1.58.0-alpha-2026-01-15, 1.58.0-alpha-2026-01-16, 1.58.0-alpha-2026-01-17, 1.58.0-alpha-2026-01-18, 1.58.0-alpha-2026-01-19, 1.58.0-alpha-2026-01-20, 1.58.0-alpha-2026-01-21, 1.58.0-alpha-2026-01-22, 1.58.0-beta-1769095880000, 1.58.0-beta-1769164624000, 1.58.0-beta-1769640251000, 1.58.0-beta-1769780171000, 1.58.0-beta-1769780184000, 1.58.1, 1.58.1-beta-1769785134000, 1.58.1-beta-1769790992000, 1.58.1-beta-1770315402000, 1.58.1-beta-1770318439000, 1.58.1-beta-1770320340000, 1.58.2, 1.58.2-beta-1770322573000, 1.58.2-beta-1770385335000, 1.58.2-beta-1771982315000, 1.59.0, 1.59.0-alpha-1769176698000, 1.59.0-alpha-1769191051000, 1.59.0-alpha-1769208470000, 1.59.0-alpha-1769217009000, 1.59.0-alpha-1769364499000, 1.59.0-alpha-1769450964000, 1.59.0-alpha-1769452054000, 1.59.0-alpha-1769561805000, 1.59.0-alpha-1769649705000, 1.59.0-alpha-1769819922000, 1.59.0-alpha-1770084836000, 1.59.0-alpha-1770157258000, 1.59.0-alpha-1770286317000, 1.59.0-alpha-1770309616000, 1.59.0-alpha-1770338664000, 1.59.0-alpha-1770396925000, 1.59.0-alpha-1770400094000, 1.59.0-alpha-1770424401000, 1.59.0-alpha-1770426101000, 1.59.0-alpha-1771028105000, 1.59.0-alpha-1771041074000, 1.59.0-alpha-1771104257000, 1.59.0-alpha-1771260841000, 1.59.0-alpha-1773451864000, 1.59.0-alpha-1773598190000, 1.59.0-alpha-1773608981000, 1.59.0-alpha-1773706743000, 1.59.0-alpha-1773960956000, 1.59.0-alpha-1774017892000, 1.59.0-alpha-1774052454000, 1.59.0-alpha-1774287265000, 1.59.0-alpha-1774622285000, 1.59.0-alpha-1774656214000, 1.59.0-alpha-1774661115000, 1.59.0-alpha-1774903871000, 1.59.0-alpha-1774912654000, 1.59.0-alpha-2026-01-23, 1.59.0-alpha-2026-01-24, 1.59.0-alpha-2026-01-25, 1.59.0-alpha-2026-01-26, 1.59.0-alpha-2026-01-27, 1.59.0-alpha-2026-01-28, 1.59.0-alpha-2026-01-29, 1.59.0-alpha-2026-01-30, 1.59.0-alpha-2026-01-31, 1.59.0-alpha-2026-02-01, 1.59.0-alpha-2026-02-02, 1.59.0-alpha-2026-02-03, 1.59.0-alpha-2026-02-04, 1.59.0-alpha-2026-02-05, 1.59.0-alpha-2026-02-06, 1.59.0-alpha-2026-02-07, 1.59.0-alpha-2026-02-08, 1.59.0-alpha-2026-02-09, 1.59.0-alpha-2026-02-10, 1.59.0-alpha-2026-02-11, 1.59.0-alpha-2026-02-12, 1.59.0-alpha-2026-02-13, 1.59.0-alpha-2026-02-14, 1.59.0-alpha-2026-02-15, 1.59.0-alpha-2026-02-16, 1.59.0-alpha-2026-02-17, 1.59.0-alpha-2026-02-18, 1.59.0-alpha-2026-02-19, 1.59.0-alpha-2026-02-20, 1.59.0-alpha-2026-02-21, 1.59.0-alpha-2026-02-22, 1.59.0-alpha-2026-02-23, 1.59.0-alpha-2026-02-24, 1.59.0-alpha-2026-02-25, 1.59.0-alpha-2026-02-26, 1.59.0-alpha-2026-02-27, 1.59.0-alpha-2026-02-28, 1.59.0-alpha-2026-03-01, 1.59.0-alpha-2026-03-02, 1.59.0-alpha-2026-03-03, 1.59.0-alpha-2026-03-04, 1.59.0-alpha-2026-03-05, 1.59.0-alpha-2026-03-06, 1.59.0-alpha-2026-03-07, 1.59.0-alpha-2026-03-08, 1.59.0-alpha-2026-03-09, 1.59.0-alpha-2026-03-10, 1.59.0-alpha-2026-03-11, 1.59.0-alpha-2026-03-12, 1.59.0-alpha-2026-03-13, 1.59.0-alpha-2026-03-14, 1.59.0-alpha-2026-03-15, 1.59.0-alpha-2026-03-16, 1.59.0-alpha-2026-03-17, 1.59.0-alpha-2026-03-18, 1.59.0-alpha-2026-03-19, 1.59.0-alpha-2026-03-20, 1.59.0-alpha-2026-03-21, 1.59.0-alpha-2026-03-22, 1.59.0-alpha-2026-03-23, 1.59.0-alpha-2026-03-24, 1.59.0-alpha-2026-03-25, 1.59.0-alpha-2026-03-26, 1.59.0-alpha-2026-03-27, 1.59.0-alpha-2026-03-28, 1.59.0-alpha-2026-03-29, 1.59.0-alpha-2026-03-30, 1.59.0-beta-1774915887000, 1.59.0-beta-1774918830000, 1.59.0-beta-1774952471000, 1.59.0-beta-1774957992000, 1.59.0-beta-1774960396000, 1.59.0-beta-1774969283000, 1.59.0-beta-1774973666000, 1.59.0-beta-1774974568000, 1.59.0-beta-1774983340000, 1.59.0-beta-1774990462000, 1.59.0-beta-1774995564000, 1.59.0-beta-1774999371000, 1.59.0-beta-1775060947000, 1.59.0-beta-1775061558000, 1.59.1, 1.59.1-beta-1775063275000, 1.59.1-beta-1775097386000, 1.59.1-beta-1775752988000, 1.59.1-beta-1775762078000, 1.60.0-alpha-1774999321000, 1.60.0-alpha-1775059755000, 1.60.0-alpha-1775061447000, 1.60.0-alpha-1775180302000, 1.60.0-alpha-1775237291000, 1.60.0-alpha-1775258971000, 1.60.0-alpha-1775584683000, 1.60.0-alpha-1775674864000, 1.60.0-alpha-1775752697000, 1.60.0-alpha-1775931579000, 1.60.0-alpha-1775951570000, 1.60.0-alpha-1776119671000, 1.60.0-alpha-1776125391000, 1.60.0-alpha-2026-03-31, 1.60.0-alpha-2026-04-01, 1.60.0-alpha-2026-04-02, 1.60.0-alpha-2026-04-03, 1.60.0-alpha-2026-04-04, 1.60.0-alpha-2026-04-05, 1.60.0-alpha-2026-04-06, 1.60.0-alpha-2026-04-07, 1.60.0-alpha-2026-04-08, 1.60.0-alpha-2026-04-09, 1.60.0-alpha-2026-04-10, 1.60.0-alpha-2026-04-11, 1.60.0-alpha-2026-04-13, 1.60.0-alpha-2026-04-14]
Recommendation: Update to version 1.59.1.

5461 Other Versions

Version License Security Released
1.6.0-next.1604517936339 Apache-2.0 1 2020-11-04 - 19:25 over 5 years
1.6.0-next.1604516539153 Apache-2.0 1 2020-11-04 - 19:02 over 5 years
1.6.0-next.1604514370393 Apache-2.0 1 2020-11-04 - 18:26 over 5 years
1.6.0-next.1604511976624 Apache-2.0 1 2020-11-04 - 17:46 over 5 years
1.6.0-next.1604504458977 Apache-2.0 1 2020-11-04 - 15:41 over 5 years
1.6.0-next.1604504226151 Apache-2.0 1 2020-11-04 - 15:37 over 5 years
1.6.0-next.1604458863005 Apache-2.0 1 2020-11-04 - 03:01 over 5 years
1.6.0-next.1604458657431 Apache-2.0 1 2020-11-04 - 02:57 over 5 years
1.6.0-next.1604449454516 Apache-2.0 1 2020-11-04 - 00:24 over 5 years
1.6.0-next.1604444190264 Apache-2.0 1 2020-11-03 - 22:56 over 5 years
1.6.0-next.1604444008055 Apache-2.0 1 2020-11-03 - 22:53 over 5 years
1.6.0-next.1604442905543 Apache-2.0 1 2020-11-03 - 22:35 over 5 years
1.6.0-next.1604438335710 Apache-2.0 1 2020-11-03 - 21:19 over 5 years
1.6.0-next.1604431974611 Apache-2.0 1 2020-11-03 - 19:33 over 5 years
1.6.0-next.1604407132436 Apache-2.0 1 2020-11-03 - 12:39 over 5 years
1.6.0-next.1604379778790 Apache-2.0 1 2020-11-03 - 05:03 over 5 years
1.6.0-next.1604375030788 Apache-2.0 1 2020-11-03 - 03:44 over 5 years
1.6.0-next.1604370816246 Apache-2.0 1 2020-11-03 - 02:33 over 5 years
1.6.0-next.1604370589377 Apache-2.0 1 2020-11-03 - 02:30 over 5 years
1.6.0-next.1604367121136 Apache-2.0 1 2020-11-03 - 01:32 over 5 years
1.6.0-next.1604363004235 Apache-2.0 1 2020-11-03 - 00:23 over 5 years
1.6.0-next.1604356576502 Apache-2.0 1 2020-11-02 - 22:36 over 5 years
1.6.0-next.1604355180033 Apache-2.0 1 2020-11-02 - 22:13 over 5 years
1.6.0-next.1604353250286 Apache-2.0 1 2020-11-02 - 21:41 over 5 years
1.6.0-next.1604351328220 Apache-2.0 1 2020-11-02 - 21:09 over 5 years
1.6.0-next.1604350952367 Apache-2.0 1 2020-11-02 - 21:02 over 5 years
1.6.0-next.1604350213419 Apache-2.0 1 2020-11-02 - 20:50 over 5 years
1.6.0-next.1604345898278 Apache-2.0 1 2020-11-02 - 19:38 over 5 years
1.6.0-next.1604099897983 Apache-2.0 1 2020-10-30 - 23:18 over 5 years
1.6.0-next.1604094577517 Apache-2.0 1 2020-10-30 - 21:49 over 5 years
1.6.0-next.1604090471094 Apache-2.0 1 2020-10-30 - 20:41 over 5 years
1.6.0-next.1604087279768 Apache-2.0 1 2020-10-30 - 19:48 over 5 years
1.6.0-next.1604087072812 Apache-2.0 1 2020-10-30 - 19:44 over 5 years
1.6.0-next.1604079389424 Apache-2.0 1 2020-10-30 - 17:36 over 5 years
1.6.0-next.1604018890865 Apache-2.0 1 2020-10-30 - 00:48 over 5 years
1.7.1 Apache-2.0 1 2020-12-22 - 18:41 over 5 years
1.7.0 Apache-2.0 1 2020-12-15 - 23:09 over 5 years
1.5.2-next.1603833673751 Apache-2.0 1 2020-10-27 - 21:21 over 5 years
1.5.1-next.1603830636096 Apache-2.0 1 2020-10-27 - 20:30 over 5 years
1.5.1-next.1603774056456 Apache-2.0 1 2020-10-27 - 04:47 over 5 years
1.5.1-next.1603475519841 Apache-2.0 1 2020-10-23 - 17:52 over 5 years
1.5.0-next.1604014572633 Apache-2.0 1 2020-10-29 - 23:36 over 5 years
1.5.0-next.1604013309987 Apache-2.0 1 2020-10-29 - 23:15 over 5 years
1.5.0-next.1603998405942 Apache-2.0 1 2020-10-29 - 19:07 over 5 years
1.5.0-next.1603926163258 Apache-2.0 1 2020-10-28 - 23:02 over 5 years
1.5.0-next.1603926030124 Apache-2.0 1 2020-10-28 - 23:00 over 5 years
1.5.0-next.1603925710895 Apache-2.0 1 2020-10-28 - 22:55 over 5 years
1.5.0-next.1603921760661 Apache-2.0 1 2020-10-28 - 21:49 over 5 years
1.5.0-next.1603918082127 Apache-2.0 1 2020-10-28 - 20:48 over 5 years
1.5.0-next.1603907834797 Apache-2.0 1 2020-10-28 - 17:57 over 5 years