camunda
deps: Update dependency playwright to v1.55.1 [SECURITY] (main)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| playwright (source) | 1.54.0 -> 1.55.1 |
[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-59288
Summary
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Details
The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:
-
packages/playwright-core/bin/reinstall_chrome_beta_mac.sh -
packages/playwright-core/bin/reinstall_chrome_stable_mac.sh -
packages/playwright-core/bin/reinstall_msedge_dev_mac.sh -
packages/playwright-core/bin/reinstall_msedge_beta_mac.sh -
packages/playwright-core/bin/reinstall_msedge_stable_mac.sh
In each case, the shell scripts download a browser installer package using curl -k and immediately install it:
curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /
Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.
PoC
A high-level exploitation scenario:
- An attacker performs a MitM attack on a network where the victim runs one of these scripts.
- The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
- Because
curl -kis used, the script downloads and installs the attacker's payload without any certificate validation. - The attacker's code is executed with system privileges, leading to full compromise.
No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Fix
- https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
- https://github.com/microsoft/playwright/pull/37532
- https://github.com/microsoft/playwright/releases/tag/v1.56.0
Credit
- This vulnerability was uncovered by tooling by Socket
- This vulnerability was confirmed by @evilpacket
- This vulnerability was reported by @JLLeitschuh at Socket
Disclosure
- September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
- September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
- September 11th, 2025 - Microsoft closed report as "Complete - N/A"
- September 18th, 2025 - Following a LinkedIn Post
Release Notes
microsoft/playwright (playwright)
v1.55.1
Highlights
#37479 - [Bug]: Upgrade Chromium to 140.0.7339.186. #37147 - [Regression]: Internal error: step id not found. #37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects. #37137 - Revert "fix(a11y): track inert elements as hidden". #37532 - chore: do not use -k option
Browser Versions
- Chromium 140.0.7339.186
- Mozilla Firefox 141.0
- WebKit 26.0
This version was also tested against the following stable channels:
- Google Chrome 139
- Microsoft Edge 139
v1.55.0
New APIs
- New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.
Codegen
- Automatic
toBeVisible()assertions: Codegen can now generate automatictoBeVisible()assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.
Breaking Changes
- ⚠️ Dropped support for Chromium extension manifest v2.
Miscellaneous
- Added support for Debian 13 "Trixie".
Browser Versions
- Chromium 140.0.7339.16
- Mozilla Firefox 141.0
- WebKit 26.0
This version was also tested against the following stable channels:
- Google Chrome 139
- Microsoft Edge 139
v1.54.2
Highlights
#36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error) #36828 - [Regression]: Playwright Codegen keeps spamming with selected option #36810 - [Regression]: Starting Codegen with target language doesn't work anymore
Browser Versions
- Chromium 139.0.7258.5
- Mozilla Firefox 140.0.2
- WebKit 26.0
This version was also tested against the following stable channels:
- Google Chrome 140
- Microsoft Edge 140
v1.54.1
Highlights
#36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used
Browser Versions
- Chromium 139.0.7258.5
- Mozilla Firefox 140.0.2
- WebKit 26.0
This version was also tested against the following stable channels:
- Google Chrome 140
- Microsoft Edge 140
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}