chore(deps): update dependency playwright to v1.55.1 [security]

This MR contains the following updates:

Package	Change	Age	Confidence
playwright (source)	1.53.2 -> 1.55.1

---

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

CVE-2025-59288 / GHSA-7mvr-c777-76hp

More information

Details

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

• packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
• packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
• packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
• packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
• packages/playwright-core/bin/reinstall_msedge_stable_mac.sh

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

• https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/releases/tag/v1.56.0

Credit

• This vulnerability was uncovered by tooling by Socket
• This vulnerability was confirmed by @​evilpacket
• This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

• September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
• September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
• September 11th, 2025 - Microsoft closed report as "Complete - N/A"
• September 18th, 2025 - Following a LinkedIn Post

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/MR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/SocketDev/security-research/security/advisories/GHSA-qxm8-4v54-964r
• https://nvd.nist.gov/vuln/detail/CVE-2025-59288
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570
• https://github.com/microsoft/playwright
• https://github.com/microsoft/playwright/releases/tag/v1.55.1
• https://github.com/microsoft/playwright/releases/tag/v1.56.0
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59288

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186. #​37147 - [Regression]: Internal error: step id not found. #​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects. #​37137 - Revert "fix(a11y): track inert elements as hidden". #​37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

Compare Source

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.54.2

Compare Source

Highlights

#​36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error) #​36828 - [Regression]: Playwright Codegen keeps spamming with selected option #​36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.1

Compare Source

Highlights

#​36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.0

Compare Source

Highlights

• New cookie property partitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.

• New option noSnippets to disable code snippets in the html report.

  import { defineConfig } from '@​playwright/test';
  
  export default defineConfig({
    reporter: [['html', { noSnippets: true }]]
  });

• New property location in test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation like test.skip or test.fixme was added.

Command Line

• New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.

  npx playwright codegen --user-data-dir=./user-data

• Option -gv has been removed from the npx playwright test command. Use --grep-invert instead.

• npx playwright open does not open the test recorder anymore. Use npx playwright codegen instead.

Miscellaneous

• Support for Node.js 16 has been removed.
• Support for Node.js 18 has been deprecated, and will be removed in the future.

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.