CVE-2025-59288
ADVISORY - githubSummary
Summary
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Details
The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:
packages/playwright-core/bin/reinstall_chrome_beta_mac.shpackages/playwright-core/bin/reinstall_chrome_stable_mac.shpackages/playwright-core/bin/reinstall_msedge_dev_mac.shpackages/playwright-core/bin/reinstall_msedge_beta_mac.shpackages/playwright-core/bin/reinstall_msedge_stable_mac.sh
In each case, the shell scripts download a browser installer package using curl -k and immediately install it:
curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /
Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.
PoC
A high-level exploitation scenario:
- An attacker performs a MitM attack on a network where the victim runs one of these scripts.
- The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
- Because
curl -kis used, the script downloads and installs the attacker's payload without any certificate validation. - The attacker's code is executed with system privileges, leading to full compromise.
No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Fix
- https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
- https://github.com/microsoft/playwright/pull/37532
- https://github.com/microsoft/playwright/releases/tag/v1.56.0
Credit
- This vulnerability was uncovered by tooling by Socket
- This vulnerability was confirmed by @evilpacket
- This vulnerability was reported by @JLLeitschuh at Socket
Disclosure
- September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
- September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
- September 11th, 2025 - Microsoft closed report as "Complete - N/A"
- September 18th, 2025 - Following a LinkedIn Post
Common Weakness Enumeration (CWE)
Improper Verification of Cryptographic Signature
Improper Verification of Cryptographic Signature
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in