CVE-2025-59288: 
JavaScript vulnerability analysis and mitigation

Improper verification of cryptographic signature in Playwright allows an unauthorized attacker to perform spoofing over an adjacent network. The vulnerability was discovered on October 14, 2025, affecting Playwright versions up to (excluding) 1.55.1. This security issue is tracked as CVE-2025-59288 and has been assigned CWE-347 (Improper Verification of Cryptographic Signature) (NVD, Miggo).

The vulnerability exists in the browser download and installation process within Playwright, specifically for macOS. The core issue lies in the use of curl with the -k (or --insecure) flag in several shell scripts located in packages/playwright-core/bin/. These scripts, responsible for reinstalling different versions of Chrome and MS Edge, bypass SSL certificate validation, making the connection vulnerable to man-in-the-middle attacks. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (Miggo).

The vulnerability allows an attacker on the same network to intercept download requests and substitute legitimate browser packages with malicious ones during Playwright's browser installation or update process. This could potentially lead to remote code execution through the installation of compromised browser binaries (Miggo).

The vulnerability has been patched in Playwright version 1.55.1. The fix removes the -k flag from all curl commands in the affected scripts, enforcing proper SSL certificate validation. Users are advised to upgrade to version 1.55.1 or later to protect against this vulnerability (Miggo).