CVE-2025-59288: Playwright Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Oct

Released

2025-10-14

EPSS Score

0.03% (percentile: 8.4%)

Description

Improper verification of cryptographic signature in Github: Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack. According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Affected Products (1)

Open Source Software

• microsoft/playwright

Security Updates (1)

• Repo

Acknowledgments

<a href="https://www.linkedin.com/in/jonathan-leitschuh/">Jonathan Leitschuh</a> with <a href="https://socket.dev/">Socket</a>

Revision History

• 2025-10-14: Information published.