Image: xyz3va
A recently disclosed vulnerability in ToDesktop, an Electron app bundler service, could have allowed attackers to execute arbitrary commands on the build server and deploy unauthorized updates to applications using the platform.
The vulnerability, tracked as CVE-2025-27554 and assigned a CVSS score of 9.9, was discovered by security researcher xyz3va. It stemmed from excessive permissions granted to the build container, enabling a postinstall script in an application’s package.json file to retrieve Firebase credentials.
Exploiting this vulnerability could have allowed attackers to:
- Access the ToDesktop database and user accounts.
- Deploy unauthorized updates to applications built on the platform.
- Potentially compromise applications used by millions of users, including ClickUp, Cursor, Linear, and Notion Calendar.
The researcher discovered the flaw while investigating the AI text editor Cursor, which utilized ToDesktop for packaging its installer. During the analysis, she noted: “now, what the hell is todesktop? i thought i was downloading cursor? well, looking at their website, they seem to be an electron app bundler service alongside providing a SDK for electron apps.”
By inspecting ToDesktop’s CLI tool, the researcher found that:
- The build container had broader permissions than necessary.
- A hardcoded Firebase admin key was present in the container.
- The system allowed arbitrary uploads via a Firebase Cloud Function.
- A postinstall script in package.json could be used to execute commands inside the build container.
To confirm the vulnerability, she deployed an update to her own app, which resulted in remote code execution (RCE) on the build server.
The researcher responsibly disclosed the vulnerability to ToDesktop on October 2, 2024. The company responded swiftly, patching the vulnerability within 26 hours and rotating all sensitive tokens.
ToDesktop also engaged a third-party cybersecurity firm, Doyensec, to conduct an independent audit of its platform and build pipeline. The audit was completed in January 2025, with a subsequent retest finalized in February 2025.
In addition to the immediate fixes, ToDesktop has implemented several long-term security enhancements, including:
- Mandating the use of security keys for releasing app updates.
- Implementing access control permissions for build and release processes.
- Enhancing alerts for suspicious usage of sensitive access tokens.
- Applying the Principle of Least Privilege to build containers.
- Introducing an option for customers to self-host updates and downloads.
