chore(deps): update dependency playwright to v1.55.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
playwright (source)	1.54.2 → 1.55.1

---

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

CVE-2025-59288 / GHSA-7mvr-c777-76hp

More information

Details

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

• packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
• packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
• packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
• packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
• packages/playwright-core/bin/reinstall_msedge_stable_mac.sh

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

• microsoft/playwright@72c62d8
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/releases/tag/v1.56.0

Credit

• This vulnerability was uncovered by tooling by Socket
• This vulnerability was confirmed by @​evilpacket
• This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

• September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
• September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
• September 11th, 2025 - Microsoft closed report as "Complete - N/A"
• September 18th, 2025 - Following a LinkedIn Post

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-59288
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59288
• https://github.com/SocketDev/security-research/security/advisories/GHSA-qxm8-4v54-964r
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
• https://github.com/microsoft/playwright/releases/tag/v1.55.1
• https://github.com/microsoft/playwright/releases/tag/v1.56.0
• https://github.com/advisories/GHSA-7mvr-c777-76hp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".
#​37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

Compare Source

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.