Skip to content

fix(security): update Playwright to 1.56.1 to fix CVE-2025-59288 #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
justinpearson merged 1 commit into from
Oct 27, 2025
Merged

fix(security): update Playwright to 1.56.1 to fix CVE-2025-59288 #50

justinpearson merged 1 commit into from
Oct 27, 2025

Conversation

@justinpearson
Copy link
Owner

@justinpearson justinpearson commented Oct 27, 2025

Summary

Updates Playwright to fix CVE-2025-59288, a high-severity security vulnerability in browser installer scripts.

Changes

  • Updated @playwright/test from ^1.52.0 to ^1.56.1
  • This updates transitive playwright dependency from 1.52.0 to 1.56.1

Security Issue

CVE-2025-59288 (GHSA-7mvr-c777-76hp) - High Severity

Playwright's browser installer scripts used curl -k (insecure flag) to download and install browsers without validating SSL certificates. This allowed attackers to perform Man-in-the-Middle attacks and deliver malicious executables.

Affected versions: playwright < 1.55.1
Fixed in: playwright >= 1.55.1

Test Plan

  • All unit tests pass (yarn test)
  • Playwright updated to secure version (1.56.1)
  • yarn.lock updated with new dependencies

References

🤖 Generated with Claude Code

@justinpearson @claude
fix(security): update Playwright to 1.56.1 to fix CVE-2025-59288
064e73a 
Updated @playwright/test from ^1.52.0 to ^1.56.1, which updates the
transitive playwright dependency from 1.52.0 to 1.56.1.

This fixes CVE-2025-59288 (GHSA-7mvr-c777-76hp), a high-severity
vulnerability where Playwright's browser installer scripts used
curl -k (insecure) to download and install browsers, allowing
potential Man-in-the-Middle attacks.

The vulnerability affected playwright < 1.55.1. Version 1.56.1
removes the -k flag and properly validates SSL certificates.

Fixes: https://github.com/justinpearson/kidpix/security/dependabot/17
References: GHSA-7mvr-c777-76hp

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@justinpearson justinpearson merged commit 6ee91a3 into main Oct 27, 2025
@justinpearson justinpearson deleted the fix-playwright-security-cve-2025-59288 branch October 27, 2025 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@justinpearson