You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Details
The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:
Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.
PoC
A high-level exploitation scenario:
An attacker performs a MitM attack on a network where the victim runs one of these scripts.
The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
The attacker's code is executed with system privileges, leading to full compromise.
No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.
Details
The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:
Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.
PoC
A high-level exploitation scenario:
An attacker performs a MitM attack on a network where the victim runs one of these scripts.
The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
The attacker's code is executed with system privileges, leading to full compromise.
No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.
Codegen
Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.
Breaking Changes
⚠️ Dropped support for Chromium extension manifest v2.
Miscellaneous
Added support for Debian 13 "Trixie".
Browser Versions
Chromium 140.0.7339.16
Mozilla Firefox 141.0
WebKit 26.0
This version was also tested against the following stable channels:
New cookie property partitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.
New option noSnippets to disable code snippets in the html report.
New property location in test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation like test.skip or test.fixme was added.
Command Line
New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.
awaitexpect(locator).toMatchAriaSnapshot(` - list - /children: equal - listitem: Feature A - listitem: - link "Feature B": - /url: "https://playwright.dev"`);
Test Runner
New property testProject.workers allows to specify the number of concurrent worker processes to use for a test project. The global limit of property testConfig.workers still applies.
New testConfig.failOnFlakyTests option to fail the test run if any flaky tests are detected, similarly to --fail-on-flaky-tests. This is useful for CI/CD environments where you want to ensure that all tests are stable before deploying.
HTML reporter now supports NOT filtering via !@​my-tag or !my-file.spec.ts or !p:my-project.
Breaking Changes
Changes to glob URL patterns in methods like page.route():
? wildcard is not supported any more, it will always match question mark ? character.
Ranges/sets [] are not supported anymore. We recommend using regular expressions instead.
Method route.continue() does not allow to override the Cookie header anymore. If a Cookie header is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.addCookies().
macOS 13 is now deprecated and will no longer receive WebKit updates. Please upgrade to a more recent macOS version to continue benefiting from the latest WebKit improvements.
Browser Versions
Chromium 136.0.7103.25
Mozilla Firefox 137.0
WebKit 18.4
This version was also tested against the following stable channels:
New option indexedDB for browserContext.storageState() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.
// tests/auth.setup.tsimport{testassetup,expect}from'@​playwright/test';importpathfrom'path';constauthFile=path.join(__dirname,'../playwright/.auth/user.json');setup('authenticate',async({ page })=>{awaitpage.goto('/');// ... perform authentication steps ...// make sure to save indexedDBawaitpage.context().storageState({path: authFile,indexedDB: true});});
Copy prompt
New "Copy prompt" button on errors in the HTML report, trace viewer and UI mode. Click to copy a pre-filled LLM prompt that contains the error message and useful context for fixing the error.
HTML report will show this information when available:
Test Step improvements
A new TestStepInfo object is now available in test steps. You can add step attachments or skip the step under some conditions.
test('some test',async({ page, isMobile })=>{// Note the new "step" argument:awaittest.step('here is my step',asyncstep=>{step.skip(isMobile,'not relevant on mobile layouts');// ...awaitstep.attach('my attachment',{body: 'some text'});// ...});});
New option timeout allows specifying a maximum run time for an individual test step. A timed-out step will fail the execution of the test.
test('some test',async({ page })=>{awaittest.step('a step',async()=>{// This step can time out separately from the test},{timeout: 1000});});
New method test.step.skip() to disable execution of a test step.
test('some test',async({ page })=>{awaittest.step('before running step',async()=>{// Normal step});awaittest.step.skip('not yet ready',async()=>{// This step is skipped});awaittest.step('after running step',async()=>{// This step still runs even though the previous one was skipped});});
Option testConfig.updateSnapshots added the configuration enum changed. changed updates only the snapshots that have changed, whereas all now updates all snapshots, regardless of whether there are any differences.
New option testConfig.updateSourceMethod defines the way source code is updated when testConfig.updateSnapshots is configured. Added overwrite and 3-way modes that write the changes into source code, on top of existing patch mode that creates a patch file.
npx playwright test --update-snapshots=changed --update-source-method=3way
Option testConfig.webServer added a gracefulShutdown field for specifying a process kill signal other than the default SIGKILL.
Exposed testStep.attachments from the reporter API to allow retrieval of all attachments created by that step.
New option pathTemplate for toHaveScreenshot and toMatchAriaSnapshot assertions in the testConfig.expect configuration.
UI updates
Updated default HTML reporter to improve display of attachments.
New button for picking elements to produce aria snapshots.
Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
Call and Network panels now display additional time information.
Option testConfig.updateSnapshots now updates all snapshots when set to all, rather than only the failed/changed snapshots. Use the new enum changed to keep the old functionality of only updating the changed snapshots.
Browser Versions
Chromium 133.0.6943.16
Mozilla Firefox 134.0
WebKit 18.2
This version was also tested against the following stable channels:
Google Chrome 132
Microsoft Edge 132
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.49.1->1.55.1GitHub Vulnerability Alerts
CVE-2025-59288
Summary
Use of
curlwith the-k(or--insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.Details
The following scripts in the
microsoft/playwrightrepository at commitbee11cbc28f24bd18e726163d0b9b1571b4f26a8usecurl -kto fetch and install executable packages without verifying the authenticity of the SSL certificate:packages/playwright-core/bin/reinstall_chrome_beta_mac.shpackages/playwright-core/bin/reinstall_chrome_stable_mac.shpackages/playwright-core/bin/reinstall_msedge_dev_mac.shpackages/playwright-core/bin/reinstall_msedge_beta_mac.shpackages/playwright-core/bin/reinstall_msedge_stable_mac.shIn each case, the shell scripts download a browser installer package using
curl -kand immediately install it:Disabling SSL verification (
-k) means the download can be intercepted and replaced with malicious content.PoC
A high-level exploitation scenario:
curl -kis used, the script downloads and installs the attacker's payload without any certificate validation.No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Fix
Credit
Disclosure
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
CVE-2025-59288 / GHSA-7mvr-c777-76hp
More information
Details
Summary
Use of
curlwith the-k(or--insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.Details
The following scripts in the
microsoft/playwrightrepository at commitbee11cbc28f24bd18e726163d0b9b1571b4f26a8usecurl -kto fetch and install executable packages without verifying the authenticity of the SSL certificate:packages/playwright-core/bin/reinstall_chrome_beta_mac.shpackages/playwright-core/bin/reinstall_chrome_stable_mac.shpackages/playwright-core/bin/reinstall_msedge_dev_mac.shpackages/playwright-core/bin/reinstall_msedge_beta_mac.shpackages/playwright-core/bin/reinstall_msedge_stable_mac.shIn each case, the shell scripts download a browser installer package using
curl -kand immediately install it:Disabling SSL verification (
-k) means the download can be intercepted and replaced with malicious content.PoC
A high-level exploitation scenario:
curl -kis used, the script downloads and installs the attacker's payload without any certificate validation.No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.
Impact
This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.
Fix
Credit
Disclosure
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
microsoft/playwright (playwright)
v1.55.1Compare Source
Highlights
https://github.com/microsoft/playwright/issues/37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.https://github.com/microsoft/playwright/issues/371477 - [Regression]: Internal error: step id not foundhttps://github.com/microsoft/playwright/issues/3714646 - [Regression]: HTML reporter displays a broken chip link when there are no projecthttps://github.com/microsoft/playwright/pull/37137137 - Revert "fix(a11y): track inert elements as hiddenhttps://github.com/microsoft/playwright/pull/37532532 - chore: do not use -k option
Browser Versions
This version was also tested against the following stable channels:
v1.55.0Compare Source
New APIs
Codegen
toBeVisible()assertions: Codegen can now generate automatictoBeVisible()assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.Breaking Changes
Miscellaneous
Browser Versions
This version was also tested against the following stable channels:
v1.54.2Compare Source
Highlights
https://github.com/microsoft/playwright/issues/36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error)https://github.com/microsoft/playwright/issues/368288 - [Regression]: Playwright Codegen keeps spamming with selected optiohttps://github.com/microsoft/playwright/issues/3681010 - [Regression]: Starting Codegen with target language doesn't work anymore
Browser Versions
This version was also tested against the following stable channels:
v1.54.1Compare Source
Highlights
https://github.com/microsoft/playwright/issues/36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used
Browser Versions
This version was also tested against the following stable channels:
v1.54.0Compare Source
Highlights
New cookie property
partitionKeyin browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.New option
noSnippetsto disable code snippets in the html report.New property
locationin test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation liketest.skiportest.fixmewas added.Command Line
New option
--user-data-dirin multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.Option
-gvhas been removed from thenpx playwright testcommand. Use--grep-invertinstead.npx playwright opendoes not open the test recorder anymore. Usenpx playwright codegeninstead.Miscellaneous
Browser Versions
This version was also tested against the following stable channels:
v1.53.2Compare Source
Highlights
https://github.com/microsoft/playwright/issues/36317 - [Regression]: Merging pre-1.53 blob reports loses attachmentshttps://github.com/microsoft/playwright/pull/363577 - [Regression (Chromium)]: CDP missing trailing slashttps://github.com/microsoft/playwright/issues/3629292 - [Bug (MSEdge)]: Edge fails to launch when using
msRelaunchNoCompatLayerBrowser Versions
This version was also tested against the following stable channels:
v1.53.1Compare Source
Highlights
https://github.com/microsoft/playwright/issues/36339 - [Regression]: Click can fail when scrolling requiredhttps://github.com/microsoft/playwright/issues/363077 - [Regression (Chromium)]: Under some scenarios filling a
textareadoesn't fillhttps://github.com/microsoft/playwright/issues/36294 - [Regression (Firefox)]:
setViewportSizetimes outhttps://github.com/microsoft/playwright/pull/36350 - [Fix]: Display HTTP method for fetch trace entries
Browser Versions
This version was also tested against the following stable channels:
v1.53.0Compare Source
Trace Viewer and HTML Reporter Updates
New Steps in Trace Viewer and HTML reporter:
New option in
'html'reporter to set the title of a specific test run:Miscellaneous
New option
kindin testInfo.snapshotPath() controls which snapshot path template is used.New method locator.describe() to describe a locator. Used for trace viewer and reports.
npx playwright install --listwill now list all installed browsers, versions and locations.Browser Versions
This version was also tested against the following stable channels:
v1.52.0Compare Source
Highlights
New method expect(locator).toContainClass() to ergonomically assert individual class names on the element.
Aria Snapshots got two new properties:
/childrenfor strict matching and/urlfor links.Test Runner
--fail-on-flaky-tests. This is useful for CI/CD environments where you want to ensure that all tests are stable before deploying.Miscellaneous
maxRedirectsin apiRequest.newContext() to control the maximum number of redirects.!@​my-tagor!my-file.spec.tsor!p:my-project.Breaking Changes
?wildcard is not supported any more, it will always match question mark?character.[]are not supported anymore. We recommend using regular expressions instead.Cookieheader anymore. If aCookieheader is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.addCookies().Browser Versions
This version was also tested against the following stable channels:
v1.51.1Compare Source
Highlights
https://github.com/microsoft/playwright/issues/35093 - [Regression]: TimeoutOverflowWarning:
2149630.634 does not fit into a 32-bit signed integerhttps://github.com/microsoft/playwright/issues/35138 - [Regression]: TypeError: Cannot read properties of undefined (reading 'expectInfo')
Browser Versions
This version was also tested against the following stable channels:
v1.51.0Compare Source
StorageState for indexedDB
New option
indexedDBfor browserContext.storageState() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.Here is an example following the authentication guide:
Copy prompt
New "Copy prompt" button on errors in the HTML report, trace viewer and UI mode. Click to copy a pre-filled LLM prompt that contains the error message and useful context for fixing the error.
Filter visible elements
New option
visiblefor locator.filter() allows matching only visible elements.Git information in HTML report
Set option testConfig.captureGitInfo to capture git information into testConfig.metadata.
HTML report will show this information when available:
Test Step improvements
A new TestStepInfo object is now available in test steps. You can add step attachments or skip the step under some conditions.
Miscellaneous
contrastfor methods page.emulateMedia() and browser.newContext() allows to emulate theprefers-contrastmedia feature.failOnStatusCodemakes all fetch requests made through the APIRequestContext throw on response codes other than 2xx and 3xx.Browser Versions
This version was also tested against the following stable channels:
v1.50.1Compare Source
Highlights
https://github.com/microsoft/playwright/issues/34483 - [Feature]: single aria snapshot for different engines/browsershttps://github.com/microsoft/playwright/issues/344977 - [Bug]: Firefox not handling keepalive: true fetch requesthttps://github.com/microsoft/playwright/issues/3450404 - [Bug]: update snapshots not creating good difhttps://github.com/microsoft/playwright/issues/34507507 - [Bug]: snapshotPathTemplate doesnt work when multiple projehttps://github.com/microsoft/playwright/issues/344624462 - [Bug]: updateSnapshots "changed" throws an error
Browser Versions
This version was also tested against the following stable channels:
v1.50.0Compare Source
Test runner
New option
timeoutallows specifying a maximum run time for an individual test step. A timed-out step will fail the execution of the test.New method test.step.skip() to disable execution of a test step.
Expanded expect(locator).toMatchAriaSnapshot() to allow storing of aria snapshots in separate YAML files.
Added method expect(locator).toHaveAccessibleErrorMessage() to assert the Locator points to an element with a given aria errormessage.
Option testConfig.updateSnapshots added the configuration enum
changed.changedupdates only the snapshots that have changed, whereasallnow updates all snapshots, regardless of whether there are any differences.New option testConfig.updateSourceMethod defines the way source code is updated when testConfig.updateSnapshots is configured. Added
overwriteand3-waymodes that write the changes into source code, on top of existingpatchmode that creates a patch file.npx playwright test --update-snapshots=changed --update-source-method=3wayOption testConfig.webServer added a
gracefulShutdownfield for specifying a process kill signal other than the defaultSIGKILL.Exposed testStep.attachments from the reporter API to allow retrieval of all attachments created by that step.
New option
pathTemplatefortoHaveScreenshotandtoMatchAriaSnapshotassertions in the testConfig.expect configuration.UI updates
canvascontent in traces is error-prone. Display is now disabled by default, and can be enabled via theDisplay canvas contentUI setting.CallandNetworkpanels now display additional time information.Breaking
<input>,<select>, or a number of other editable elements.all, rather than only the failed/changed snapshots. Use the new enumchangedto keep the old functionality of only updating the changed snapshots.Browser Versions
This version was also tested against the following stable channels:
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.