CVE-2025-59288: Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
(updated )
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
References
- github.com/SocketDev/security-research/security/advisories/GHSA-qxm8-4v54-964r
- github.com/advisories/GHSA-7mvr-c777-76hp
- github.com/microsoft/playwright
- github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
- github.com/microsoft/playwright/pull/37532
- github.com/microsoft/playwright/releases/tag/v1.55.1
- github.com/microsoft/playwright/releases/tag/v1.56.0
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59288
- nvd.nist.gov/vuln/detail/CVE-2025-59288
Code Behaviors & Features
Detect and mitigate CVE-2025-59288 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →