Critical severity9.9NVD Advisory· Published Mar 1, 2025· Updated Apr 15, 2026
CVE-2025-27554
CVE-2025-27554
Description
ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a postinstall script in package.json. No exploitation occurred.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: < 2024-10-03
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.