Skip to content

chore(deps): update dependency playwright to v1.55.1 [security]#2506

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-playwright-vulnerability
Oct 28, 2025
Merged

chore(deps): update dependency playwright to v1.55.1 [security]#2506
renovate[bot] merged 1 commit intomainfrom
renovate/npm-playwright-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 20, 2025
edited by github-actions bot
Loading

This PR contains the following updates:

Package Change Age Confidence
playwright (source) 1.55.0 -> 1.55.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-59288

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

  1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
  2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
  3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
  4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

Credit

  • This vulnerability was uncovered by tooling by Socket
  • This vulnerability was confirmed by @​evilpacket
  • This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".
#​37532 - chore: do not use -k option

Browser Versions

  • Chromium 140.0.7339.186
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

Configuration

📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@renovate renovate bot enabled auto-merge (squash) October 20, 2025 15:37
@github-project-automation github-project-automation bot moved this from New to Waiting in DevOps (NR) Oct 20, 2025
@renovate renovate bot force-pushed the renovate/npm-playwright-vulnerability branch from 5cda9c2 to afdd5a3 Compare October 28, 2025 01:57
@renovate renovate bot force-pushed the renovate/npm-playwright-vulnerability branch from afdd5a3 to c6ea4bd Compare October 28, 2025 03:24
@renovate renovate bot merged commit d141db0 into main Oct 28, 2025
26 of 30 checks passed
@renovate renovate bot deleted the renovate/npm-playwright-vulnerability branch October 28, 2025 03:32
@github-project-automation github-project-automation bot moved this from Waiting to Done in DevOps (NR) Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

DevOps (NR)
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants