5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59288

GHSA ID

GHSA-7mvr-c777-76hp

EPSS Score

0.06204%

CWE

CWE-347

Published

10/14/2025

Updated

10/20/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59288

CVE-2025-59288: Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Improper verification of cryptographic signature in Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-59288

CVE-2025-59288:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59288

GHSA ID

GHSA-7mvr-c777-76hp

EPSS Score

0.06204%

CWE

CWE-347

Published

10/14/2025

Updated

10/20/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
playwright	npm	< 1.55.1	1.55.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the browser download and installation process within Playwright, specifically for macOS. The analysis of the provided patch commit 72c62d840247d9defd87c6beb0344d456794b570 reveals that several shell scripts located in packages/playwright-core/bin/ were modified. These scripts are responsible for reinstalling different versions of Chrome and MS Edge.

The core of the vulnerability is the use of curl with the -k (or --insecure) flag. This flag explicitly tells curl to bypass SSL certificate validation, making the connection vulnerable to man-in-the-middle (MitM) attacks. An attacker on the same network could intercept the download requests and substitute the legitimate browser package with a malicious one.

The patch addresses this vulnerability by removing the -k flag from all the curl commands in the affected scripts. This enforces the default behavior of curl, which is to validate the SSL certificate of the server, thus ensuring the authenticity and integrity of the downloaded files.

The identified 'vulnerable functions' are the shell scripts themselves, as they contain the insecure command. During a Playwright installation or browser update on a macOS system, these scripts would be executed, and their names would appear in process lists or execution logs, serving as runtime indicators of the vulnerable process.