Описание
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
Summary
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Details
The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:
packages/playwright-core/bin/reinstall_chrome_beta_mac.shpackages/playwright-core/bin/reinstall_chrome_stable_mac.shpackages/playwright-core/bin/reinstall_msedge_dev_mac.shpackages/playwright-core/bin/reinstall_msedge_beta_mac.shpackages/playwright-core/bin/reinstall_msedge_stable_mac.sh
In each case, the shell scripts download a browser installer package using curl -k and immediately install it:
Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.
PoC
A high-level exploitation scenario:
- An attacker performs a MitM attack on a network where the victim runs one of these scripts.
- The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
- Because
curl -kis used, the script downloads and installs the attacker's payload without any certificate validation. - The attacker's code is executed with system privileges, leading to full compromise.
No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Fix
- https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
- https://github.com/microsoft/playwright/pull/37532
- https://github.com/microsoft/playwright/releases/tag/v1.56.0
Credit
- This vulnerability was uncovered by tooling by Socket
- This vulnerability was confirmed by @evilpacket
- This vulnerability was reported by @JLLeitschuh at Socket
Disclosure
- September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
- September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
- September 11th, 2025 - Microsoft closed report as "Complete - N/A"
- September 18th, 2025 - Following a LinkedIn Post
Ссылки
- https://github.com/SocketDev/security-research/security/advisories/GHSA-qxm8-4v54-964r
- https://nvd.nist.gov/vuln/detail/CVE-2025-59288
- https://github.com/microsoft/playwright/pull/37532
- https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
- https://github.com/microsoft/playwright/releases/tag/v1.55.1
- https://github.com/microsoft/playwright/releases/tag/v1.56.0
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59288
Пакеты
playwright
< 1.55.1
1.55.1
Связанные уязвимости
Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent network.
