CVE-2025-59288
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
描述
### Summary Use of `curl` with the `-k` (or `--insecure`) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications. ### Details The following scripts in the `microsoft/playwright` repository at commit [`bee11cbc28f24bd18e726163d0b9b1571b4f26a8`](https://github.com/microsoft/playwright/commit/bee11cbc28f24bd18e726163d0b9b1571b4f26a8) use `curl -k` to fetch and install executable packages without verifying the authenticity of the SSL certificate: - [`packages/playwright-core/bin/reinstall_chrome_beta_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_chrome_beta_mac.sh) - [`packages/playwright-core/bin/reinstall_chrome_stable_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_chrome_stable_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_dev_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_dev_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_beta_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_beta_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_stable_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_stable_mac.sh) In each case, the shell scripts download a browser installer package using `curl -k` and immediately install it: ```shell curl --retry 3 -o ./<pkg-file> -k <url> sudo installer -pkg /tmp/<pkg-file> -target / ``` Disabling SSL verification (`-k`) means the download can be intercepted and replaced with malicious content. ### PoC A high-level exploitation scenario: 1. An attacker performs a MitM attack on a network where the victim runs one of these scripts. 2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer). 3. Because `curl -k` is used, the script downloads and installs the attacker's payload without any certificate validation. 4. The attacker's code is executed with system privileges, leading to full compromise. No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough. ### Impact This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments. ### Fix - https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570 - https://github.com/microsoft/playwright/pull/37532 - https://github.com/microsoft/playwright/releases/tag/v1.56.0 ### Credit - This vulnerability was uncovered by tooling by [Socket](https://socket.dev/) - This vulnerability was confirmed by @evilpacket - This vulnerability was reported by @JLLeitschuh at Socket ### Disclosure - September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8 - September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854 - September 11th, 2025 - Microsoft closed report as "Complete - N/A" - September 18th, 2025 - Following a [LinkedIn Post](https://www.linkedin.com/posts/jonathan-leitschuh_its-a-sad-state-of-the-world-when-i-acknowledge-activity-7374601182117511168--wnI?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAAA0SLMUBScBUspIv0-LQ1ecAwsqt5l81eG4)