Playwright Spoofing Vulnerability

MEDIUM (5.3) No Patch (67 days)
cwe-347adjacent-networkbrowser-automationjavascriptplaywrightspoofingweb-server

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 12%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Playwright is a browser automation framework used by developers to automate web browsers. This vulnerability allows an attacker to spoof requests over an adjacent network, potentially leading to unauthorized access to sensitive data or systems.

Am I affected?

You're affected if you use Playwright version 1.25.0-2022-03-01 or later.
Check with: npm ls playwright and look for the version number in the package.json file

Note: This is a specific vulnerability related to the Playwright browser automation framework, not to be confused with other frameworks or tools.

Affected Packages

npm: playwright@latest

Affected Products

Microsoft / Playwright

How to fix

  1. Upgrade to Playwright version 1.25.0-2022-03-01 or later.
    • Install via npm: npm install playwright@latest
    • Update your project's package.json file with the new version number.
  2. Immediate mitigations:
    • Restrict network access to your Playwright instance (firewall it from the public internet)
    • Audit automation scripts for suspicious patterns
    • Monitor for unauthorized requests

References