Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
- Severity:
- High
Description
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Recommendation
Update the playwright package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.55.1
- Patched version(s): 1.55.1
References
Related Issues
- Improper Certificate Validation in xmlhttprequest-ssl - CVE-2021-31597
- Astro's `X-Forwarded-Host` is reflected without validation - CVE-2025-61925
- Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
- Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools - CVE-2025-9611
- Tags:
- npm
- playwright
Anything's wrong? Let us know Last updated on October 24, 2025