Miggo Logo
Miggo Vulnerability Database
CVE-2025-59288

CVE-2025-59288: Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-59288
GHSA ID
GHSA-7mvr-c777-76hp
EPSS Score
0.06204%
CWE
CWE-347
Published
10/14/2025
Updated
10/20/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
playwrightnpm< 1.55.11.55.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the browser download and installation process within Playwright, specifically for macOS. The analysis of the provided patch commit 72c62d840247d9defd87c6beb0344d456794b570 reveals that several shell scripts located in packages/playwright-core/bin/ were modified. These scripts are responsible for reinstalling different versions of Chrome and MS Edge.

The core of the vulnerability is the use of curl with the -k (or --insecure) flag. This flag explicitly tells curl to bypass SSL certificate validation, making the connection vulnerable to man-in-the-middle (MitM) attacks. An attacker on the same network could intercept the download requests and substitute the legitimate browser package with a malicious one.

The patch addresses this vulnerability by removing the -k flag from all the curl commands in the affected scripts. This enforces the default behavior of curl, which is to validate the SSL certificate of the server, thus ensuring the authenticity and integrity of the downloaded files.

The identified 'vulnerable functions' are the shell scripts themselves, as they contain the insecure command. During a Playwright installation or browser update on a macOS system, these scripts would be executed, and their names would appear in process lists or execution logs, serving as runtime indicators of the vulnerable process.

Vulnerable functions

reinstall_chrome_beta_mac.sh
packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
The script uses `curl` with the `-k` flag, which disables SSL certificate validation. This allows a man-in-the-middle attacker to intercept the download and provide a malicious browser binary.
reinstall_chrome_stable_mac.sh
packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
The script uses `curl` with the `-k` flag, which disables SSL certificate validation. This allows a man-in-the-middle attacker to intercept the download and provide a malicious browser binary.
reinstall_msedge_beta_mac.sh
packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
The script uses `curl` with the `-k` flag, which disables SSL certificate validation. This allows a man-in-the-middle attacker to intercept the download and provide a malicious browser binary.
reinstall_msedge_dev_mac.sh
packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
The script uses `curl` with the `-k` flag, which disables SSL certificate validation. This allows a man-in-the-middle attacker to intercept the download and provide a malicious browser binary.
reinstall_msedge_stable_mac.sh
packages/playwright-core/bin/reinstall_msedge_stable_mac.sh
The script uses `curl` with the `-k` flag, which disables SSL certificate validation. This allows a man-in-the-middle attacker to intercept the download and provide a malicious browser binary.

WAF Protection Rules

WAF Rule

Improp*r v*ri*i**tion o* *rypto*r*p*i* si*n*tur* in Pl*ywri**t *llows *n un*ut*oriz** *tt**k*r to p*r*orm spoo*in* ov*r *n **j***nt n*twork.

Reasoning

T** vuln*r**ility li*s in t** *rows*r *ownlo** *n* inst*ll*tion pro**ss wit*in Pl*ywri**t, sp**i*i**lly *or m**OS. T** *n*lysis o* t** provi*** p*t** *ommit `****************************************` r*v**ls t**t s*v*r*l s**ll s*ripts lo**t** in `p**