All playwright versions

[email protected] rejected Risk: 68 No license

playwright @0.10.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
68
Risk Score
License
No
Install Scripts
1
Dependencies
0
Dev Dependencies
4.8 KB
Package Size
Published

Maintainers

arjun27aslushnikovjoeleinbinderlostintangentpavelfeldman

Dependencies (1)

PackageConstraintRegistry Status
playwright-core =0.10.0 auto_approved

Transitive Dependency Tree

44 transitive deps max depth 6
├─ playwright-core =0.10.0 → 0.10.0
  ├─ debug ^4.1.0 → 4.4.3
  ├─ extract-zip ^1.6.6 → 1.7.0
  ├─ https-proxy-agent ^3.0.0 → 3.0.1
  ├─ jpeg-js ^0.3.6
  ├─ mime ^2.0.3 → 2.6.0
  ├─ pngjs ^3.4.0 → 3.4.0
  ├─ progress ^2.0.3 → 2.0.3
  ├─ proxy-from-env ^1.0.0 → 1.1.0
  ├─ rimraf ^2.6.1 → 2.7.1
  ├─ uuid ^3.4.0 → 3.4.0
├─ ws ^6.1.0 → 6.2.4
  ├─ agent-base ^4.3.0 → 4.3.0
  ├─ async-limiter ~1.0.0 → 1.0.1
  ├─ concat-stream ^1.6.2 → 1.6.2
  ├─ debug ^3.1.0 → 3.2.7
  ├─ debug ^2.6.9
  ├─ glob ^7.1.3 → 7.1.7
  ├─ mkdirp ^0.5.4 → 0.5.6
  ├─ ms ^2.1.3 → 2.1.3
├─ yauzl ^2.10.0 → 2.10.0
  ├─ buffer-crc32 ~0.2.3 → 0.2.13
  ├─ buffer-from ^1.0.0 → 1.1.2
  ├─ es6-promisify ^5.0.0 → 5.0.0
  ├─ fd-slicer ~1.1.0 → 1.1.0
  ├─ fs.realpath ^1.0.0
  ├─ inflight ^1.0.4
  ├─ inherits 2 → 2.0.4
  ├─ inherits ^2.0.3 → 2.0.4
  ├─ minimatch ^3.0.4 → 3.1.5
  ├─ minimist ^1.2.6 → 1.2.8
  ├─ ms ^2.1.1 → 2.1.3
  ├─ once ^1.3.0 → 1.4.0
  ├─ path-is-absolute ^1.0.0 → 1.0.1
  ├─ readable-stream ^2.2.2 → 2.3.8
├─ typedarray ^0.0.6 → 0.0.6
  ├─ brace-expansion ^1.1.7 → 1.1.15
  ├─ core-util-is ~1.0.0 → 1.0.3
  ├─ es6-promise ^4.0.3 → 4.2.8
  ├─ inherits ~2.0.3 → 2.0.4
  ├─ isarray ~1.0.0 → 1.0.0
  ├─ pend ~1.2.0 → 1.2.0
  ├─ process-nextick-args ~2.0.0 → 2.0.1
  ├─ safe-buffer ~5.1.1 → 5.1.2
  ├─ string_decoder ~1.1.1 → 1.1.1
  ├─ util-deprecate ~1.0.1 → 1.0.2
├─ wrappy 1 → 1.0.2
  ├─ balanced-match ^1.0.0 → 1.0.2
  ├─ concat-map 0.0.1 → 0.0.1
  ├─ safe-buffer ~5.1.0 → 5.1.2

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-7mvr-c777-76hp osv reject AI AI (osv): Advisory covers all versions < 1.55.1; curl -k in browser installer scripts allows MitM substitution of arbitrary executables. Fix exists in 1.55.1. Generalizes to all affected versions.

SAST Findings (3)

CRITICAL GHSA-7mvr-c777-76hp: Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate osv

[Always reject] ### Summary Use of `curl` with the `-k` (or `--insecure`) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications. ### Details The following scripts in the `microsoft/playwright` repository at commit [`bee11cbc28f24bd18e726163d0b9b1571b4f26a8`](https://github.com/microsoft/playwright/commit/bee11cbc28f24bd18e726163d0b9b1571b4f26a8) use `curl -k` to fetch and install executable packages without verifying the authenticity of the SSL certificate: - [`packages/playwright-core/bin/reinstall_chrome_beta_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_chrome_beta_mac.sh) - [`packages/playwright-core/bin/reinstall_chrome_stable_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_chrome_stable_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_dev_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_dev_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_beta_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_beta_mac.sh) - [`packages/playwright-core/bin/reinstall_msedge_stable_mac.sh`](https://github.com/microsoft/playwright/blob/bee11cbc28f24bd18e726163d0b9b1571b4f26a8/packages/playwright-core/bin/reinstall_msedge_stable_mac.sh) In each case, the shell scripts download a browser installer package using `curl -k` and immediately install it: ```shell curl --retry 3 -o ./<pkg-file> -k <url> sudo installer -pkg /tmp/<pkg-file> -target / ``` Disabling SSL verification (`-k`) means the download can be intercepted and replaced with malicious content. ### PoC A high-level exploitation scenario: 1. An attacker performs a MitM attack on a network where the victim runs one of these scripts. 2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer). 3. Because `curl -k` is used, the script downloads and installs the attacker's payload without any certificate validation. 4. The attacker's code is executed with system privileges, leading to full compromise. No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough. ### Impact This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments. ### Fix - https://github.com/microsoft/playwright/commit/72c62d840247d9defd87c6beb0344d456794b570 - https://github.com/microsoft/playwright/pull/37532 - https://github.com/microsoft/playwright/releases/tag/v1.56.0 ### Credit - This vulnerability was uncovered by tooling by [Socket](https://socket.dev/) - This vulnerability was confirmed by @evilpacket - This vulnerability was reported by @JLLeitschuh at Socket ### Disclosure - September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8 - September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854 - September 11th, 2025 - Microsoft closed report as "Complete - N/A" - September 18th, 2025 - Following a [LinkedIn Post](https://www.linkedin.com/posts/jonathan-leitschuh_its-a-sad-state-of-the-world-when-i-acknowledge-activity-7374601182117511168--wnI?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAAA0SLMUBScBUspIv0-LQ1ecAwsqt5l81eG4)

HIGH Package has 'install' script install-scripts

Script: node install.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 68. Findings: 1 critical (+40), 1 high (+25), 1 low (+3).

Published to npm: