Full Report
The author was trying to use Cursor, an AI coding assistant. When downloading this tool, they got a hit on a firewall software that it was making an outgoing connection to download.todesktop.com. todesktop is an Electron app bundling service that provides an SDK for Electron apps. Since this was a deployment service, the author was interested in its security. A vulnerability would allow for the compromise of hundreds of apps. After seeing that this used Firestore, firebase's no-sql database that is often used in frontend, they quickly got to work hunting for bugs. This led them to an NPM CLI package. The cloud function getSignedURL() had an arbitrary S3 upload vulnerability. However, they didn't have a useful place to upload files to so they just moved on. Since this entire platform was about building and deploying, they were curious about how this was done. They added a postinstall script to the package.json. They found an encrypted configuration file when navigating this container with a reverse shell used for Firebase. After finding the decryption code, they got a hardcoded Firebase admin key. This service allowed them to auto-update any app of their liking, including Cursor. They tested this by deploying an update to their custom app and immediately saw the results. There is a huge impact on this! To fix this issue, the build container has a privileged sidecar that does the signing, uploading and everything else, while the main container only has the user code. User isolation on arbitrary code is extremely difficult, in my opinion. They got a 5K bounty from todesktop, which the author said was fair because of the company's size. Cursor gave them 50K too, which is amazing. Overall, great post!
Analysis Summary
# Vulnerability: Arbitrary Code Execution via Compromised Build Pipeline in toDesktop Service
## CVE Details
- CVE ID: **Not explicitly provided in the source article.** (This appears to be a vendor-reported vulnerability leading to a bounty, often assigned a CVE later or kept internal if the scope is limited.)
- CVSS Score: **Not explicitly provided in the source article.** (Likely High/Critical due to RCE on downstream users.)
- CWE: CWE-269 (Improper Privilege Management) combined with CWE-78 (OS Command Injection) potentially via the compromised build process.
## Affected Systems
- Products: **todesktop SDK/Service** (An Electron app bundling and deployment service).
- Versions: **All versions prior to the deployment of the vendor hotfix.**
- Configurations: Applications using the todesktop service for building and deploying updates (e.g., Cursor, ClickUp, Linear, Notion Calendar were cited as examples).
## Vulnerability Description
The vulnerability chain allowed for Remote Code Execution (RCE) on the build infrastructure managed by todesktop, which led to the ability to deploy malicious updates to any application relying on the service.
The initial finding involved recognizing that the `@todesktop/cli` package contained an arbitrary S3 upload flaw in the `getSignedURL()` cloud function, though this was not immediately exploitable for impact.
The critical flaw was discovered by injecting a reverse shell via a **`postinstall` script** executed within the build container when the CLI package was installed or used. Once inside the build container, the researcher found an **encrypted configuration file** and subsequently located a **hardcoded, full-scoped Firebase Admin Key**. This key provided full administrative control over the Firebase platform used for application management, enabling the attacker to deploy self-updating malicious code to any platform bundled by todesktop.
## Exploitation
- Status: **Proof of Concept (PoC) available/Demonstrated.** The researcher successfully deployed a malicious update to a custom application which resulted in RCE on their client machine upon application restart.
- Complexity: **Medium.** Required initial vulnerability triangulation (S3 upload path) followed by successful injection into the build environment (postinstall script) and recovery of secrets (decryption knowledge and key retrieval).
- Attack Vector: **Local/Supply Chain.** Exploitation targets the application build pipeline/deployment infrastructure, affecting end-users downstream.
## Impact
- Confidentiality: **High.** Access to the build environment and admin keys could lead to snooping on secrets or source code being processed.
- Integrity: **Critical.** Ability to deploy arbitrary, signed update packages to hundreds of client applications, leading to widespread RCE on end-user machines (potentially millions of devices across corporate environments).
- Availability: **High.** Potential for repeated delivery of disruptive or harmful payloads.
## Remediation
### Patches
- **Vendor Implemented Fix:** The build container structure was modified. The main build container now runs the user code with restricted privileges. **A privileged sidecar container** was introduced to exclusively handle sensitive operations like code signing and secure uploading, isolating user code from inherent secrets and deployment logic.
### Workarounds
- **Configuration Change (Customer Side):** Cursor stopped using the todesktop build system, switching to their own build infrastructure. (This is an application-specific mitigation, not a general todesktop fix).
## Detection
- **Indicators of Compromise (IoCs):**
- Anomalous outbound connections from build infrastructure accessing Firebase services using unusual credentials/scopes.
- Unexpected execution of `postinstall` scripts within the build environment if resource monitoring is in place.
- Deployment events showing changes initiated by compromised credentials (e.g., deployments originating from unauthorized sources using the admin key).
- **Detection Methods and Tools:**
- Strict container isolation between build code execution and sensitive signing/upload processes (as implemented in the fix).
- Monitoring for unexpected file system activity or secret file reads within build containers.
## References
- Vendor Advisory: `https://www.todesktop.com/blog/posts/security-incident-at-todesktop`
- Researcher Post (Defanged): `how to gain code execution on millions of people and hundreds of popular apps - eva's site`