Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Severity:: High

Description

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Recommendation

Update the playwright package to the latest compatible version. Followings are version details:

Affected version(s): < 1.55.1
Patched version(s): 1.55.1

References

GHSA-7mvr-c777-76hp
msrc.microsoft.com
CVE-2025-59288
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Astro's `X-Forwarded-Host` is reflected without validation - CVE-2025-61925
undici Denial of Service attack via bad certificate data - CVE-2025-47279
Improper Certificate Validation in xmlhttprequest-ssl - CVE-2021-31597
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools - CVE-2025-9611

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; playwright

Anything's wrong? Let us know Last updated on October 24, 2025