Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Severity:: High

Description

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Recommendation

Update the playwright package to the latest compatible version. Followings are version details:

Affected version(s): < 1.55.1
Patched version(s): 1.55.1

References

GHSA-7mvr-c777-76hp
msrc.microsoft.com
CVE-2025-59288
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 9 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 7 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 6 - CVE-2025-65944
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 5 - CVE-2025-65944

Tags:: npm; playwright

Anything's wrong? Let us know Last updated on October 24, 2025