CVE-2025-27554
Published: 01 March 2025
Summary
CVE-2025-27554 is a critical-severity Code Injection (CWE-94) vulnerability in Kibty (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of vendor patches for critical flaws like the postinstall script code injection in ToDesktop, directly eliminating the vulnerability.
Enables scanning and monitoring of third-party dependencies such as ToDesktop npm packages to identify and address known CVEs like CVE-2025-27554 before exploitation.
Restricts use of unapproved or vulnerable software like pre-2024-10-03 ToDesktop versions, preventing installation and execution of the malicious postinstall script.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection (CWE-94) enables remote arbitrary command execution on the build server (T1190, T1059), directly facilitating supply chain compromise by deploying malicious updates to apps (T1195.002).
NVD Description
ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a…
more
postinstall script in package.json. No exploitation occurred.
Deeper analysisAI
CVE-2025-27554 is a code injection vulnerability (CWE-94) in ToDesktop versions before 2024-10-03, a component used by Cursor before 2024-10-03 and other applications. It enables remote attackers to execute arbitrary commands on the build server—for instance, reading secrets from the desktopify config.prod.json file—and subsequently deploy updates to any app. This flaw stems from a postinstall script in package.json and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and broad impact.
Attackers require only low privileges (PR:L) to exploit the vulnerability remotely without user interaction. Successful exploitation grants arbitrary command execution on the build server, allowing attackers to access sensitive configuration data and push malicious updates to affected applications, potentially compromising entire deployment pipelines.
Advisories and related posts, including ToDesktop's security incident report (https://www.todesktop.com/blog/posts/security-incident-at-todesktop), an analysis at https://kibty.town/blog/todesktop, and Hacker News discussion (https://news.ycombinator.com/item?id=43210858), detail the issue published on 2025-03-01. Mitigation involves updating to ToDesktop 2024-10-03 or later to address the postinstall script vulnerability.
No exploitation occurred in the wild.
Details
- CWE(s)