CVE-2025-27554

CVE-2025-27554 is a code injection vulnerability (CWE-94) in ToDesktop versions before 2024-10-03, a component used by Cursor before 2024-10-03 and other applications. It enables remote attackers to execute arbitrary commands on the build server—for instance, reading secrets from the desktopify config.prod.json file—and subsequently deploy updates to any app. This flaw stems from a postinstall script in package.json and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and broad impact.

Attackers require only low privileges (PR:L) to exploit the vulnerability remotely without user interaction. Successful exploitation grants arbitrary command execution on the build server, allowing attackers to access sensitive configuration data and push malicious updates to affected applications, potentially compromising entire deployment pipelines.

Advisories and related posts, including ToDesktop's security incident report (https://www.todesktop.com/blog/posts/security-incident-at-todesktop), an analysis at https://kibty.town/blog/todesktop, and Hacker News discussion (https://news.ycombinator.com/item?id=43210858), detail the issue published on 2025-03-01. Mitigation involves updating to ToDesktop 2024-10-03 or later to address the postinstall script vulnerability.

No exploitation occurred in the wild.