Platform
nodejs
Component
todesktop
Fixed in
2024.0.1
CVE-2025-27554 describes a critical remote code execution (RCE) vulnerability affecting ToDesktop, a Node.js package used by Cursor and other applications. This vulnerability allows attackers to execute arbitrary commands on the build server, potentially leading to unauthorized access and data breaches. The vulnerability impacts versions of ToDesktop prior to 2024-10-03, and has been fixed in version 2024-10-03.
The primary impact of CVE-2025-27554 is the ability for a remote attacker to execute arbitrary commands on the build server. This is achieved through a malicious postinstall script within the package.json file. Successful exploitation allows the attacker to read sensitive information, such as secrets stored in the desktopify config.prod.json file. This compromised data could then be used to deploy malicious updates to applications, effectively gaining control over the deployment pipeline. The blast radius extends to any application utilizing the vulnerable version of ToDesktop, potentially impacting a wide range of users and systems.
CVE-2025-27554 was publicly disclosed on 2025-03-01. No active exploitation has been reported at the time of writing, but the vulnerability's CRITICAL severity and ease of exploitation suggest a high probability of future attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.43% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27554 is to immediately upgrade ToDesktop to version 2024-10-03 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the build server and carefully reviewing any newly installed packages. Implement stricter access controls and auditing on the build server to detect and prevent unauthorized command execution. Review the desktopify config.prod.json file and ensure sensitive data is properly secured and not accessible to unauthorized users. After upgrading, confirm the fix by running npm install and verifying that the postinstall script executes without errors and does not attempt to access sensitive files.
Update the 'todesktop' dependency to a version later than 2024-10-02. This will prevent remote command execution on the build server through the postinstall script in package.json. See the ToDesktop blog for more information on the vulnerability and security measures implemented.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27554 is a critical remote code execution vulnerability in ToDesktop versions before 2024-10-03. It allows attackers to execute commands on the build server, potentially accessing sensitive data.
You are affected if you are using ToDesktop versions prior to 2024-10-03, or if you use Cursor or other applications that depend on a vulnerable version of ToDesktop.
Upgrade ToDesktop to version 2024-10-03 or later. If immediate upgrade is not possible, restrict build server access and review installed packages.
No active exploitation has been reported, but the vulnerability's severity suggests a high probability of future attacks.
Refer to the relevant security advisories from the ToDesktop project and any dependent applications like Cursor for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.