Critical severity9.9NVD Advisory· Published Mar 1, 2025· Updated Apr 15, 2026

CVE-2025-27554

Description

ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a postinstall script in package.json. No exploitation occurred.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kibty.town/blog/todesktopnvd
news.ycombinator.com/itemnvd
www.todesktop.com/blog/posts/security-incident-at-todesktopnvd

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000