This PR contains the following updates:

Package	Change	Age	Confidence
playwright (source)	1.54.2 ->1.55.1

GitHub Vulnerability Alerts

CVE-2025-59288

Summary

Use ofcurl with the-k (or--insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in themicrosoft/playwright repository at commitbee11cbc28f24bd18e726163d0b9b1571b4f26a8 usecurl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

• packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
• packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
• packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
• packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
• packages/playwright-core/bin/reinstall_msedge_stable_mac.sh

In each case, the shell scripts download a browser installer package usingcurl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k<url>sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
3. Becausecurl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

• microsoft/playwright@72c62d8
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/releases/tag/v1.56.0

Credit

• This vulnerability was uncovered by tooling bySocket
• This vulnerability was confirmed by @​evilpacket
• This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

• September 10th, 2025 - Disclosed to Microsoft privately viahttps://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
• September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal -https://msrc.microsoft.com/report/vulnerability/VULN-162854
• September 11th, 2025 - Microsoft closed report as "Complete - N/A"
• September 18th, 2025 - Following aLinkedIn Post

Release Notes

Configuration

📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR was generated byMend Renovate. View therepository job log.