Skip to content

chore(deps): update dependency playwright to v1.55.1 [security]#136

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-playwright-vulnerability
Open

chore(deps): update dependency playwright to v1.55.1 [security]#136
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-playwright-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 20, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
playwright (source) 1.54.11.55.1 age confidence

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

CVE-2025-59288 / GHSA-7mvr-c777-76hp

More information

Details

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

  1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
  2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
  3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
  4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix
Credit
  • This vulnerability was uncovered by tooling by Socket
  • This vulnerability was confirmed by @​evilpacket
  • This vulnerability was reported by @​JLLeitschuh at Socket
Disclosure

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".
#​37532 - chore: do not use -k option

Browser Versions

  • Chromium 140.0.7339.186
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

v1.55.0

Compare Source

New APIs

  • New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

  • Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

  • ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

  • Added support for Debian 13 "Trixie".

Browser Versions

  • Chromium 140.0.7339.16
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

v1.54.2

Compare Source

Highlights

#​36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error)
#​36828 - [Regression]: Playwright Codegen keeps spamming with selected option
#​36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

  • Chromium 139.0.7258.5
  • Mozilla Firefox 140.0.2
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 140
  • Microsoft Edge 140

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch from 7789f73 to f217e98 Compare December 31, 2025 14:38
@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch from f217e98 to fb21683 Compare January 19, 2026 17:39
@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch from fb21683 to 4acd900 Compare February 12, 2026 17:36
@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch from 4acd900 to 83fee50 Compare March 5, 2026 15:17
@renovate renovate Bot changed the title chore(deps): update dependency playwright to v1.55.1 [security] chore(deps): update dependency playwright to v1.55.1 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-playwright-vulnerability branch March 27, 2026 01:30
@renovate renovate Bot changed the title chore(deps): update dependency playwright to v1.55.1 [security] - autoclosed chore(deps): update dependency playwright to v1.55.1 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch 2 times, most recently from 83fee50 to 2f0d9e0 Compare March 30, 2026 22:29
@renovate renovate Bot changed the title chore(deps): update dependency playwright to v1.55.1 [security] chore(deps): update dependency playwright to v1.55.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency playwright to v1.55.1 [security] - autoclosed chore(deps): update dependency playwright to v1.55.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-playwright-vulnerability branch 2 times, most recently from 2f0d9e0 to cc0e28c Compare April 27, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants