High-Severity Figma MCP Flaw CVE-2025-53967 Allows Remote Command Injection via Fallback Mechanism

The popular design tool Figma has faced a potential security threat due to a vulnerability in the Model Context Protocol (MCP) server, the framework underpinning its integration with AI-driven agents. The issue, discovered in the summer of 2025 by specialists from Imperva, has since been resolved — yet at the time of discovery, it allowed for remote command execution on the server side. The vulnerability, tracked as CVE-2025-53967, received a CVSS score of 7.5, indicating high severity.

The flaw stemmed from insecure handling of incoming data. The figma-developer-mcp component improperly constructed shell commands, inserting client-supplied parameters directly without adequate sanitization. This oversight enabled attackers to inject shell metacharacters — such as |, >, and && — and alter the execution logic. The issue resided in the module src/utils/fetch-with-retry.ts, where a failed API request triggered a fallback mechanism invoking curl through child_process.exec, thereby exposing an avenue for injection attacks.

Under normal conditions, a client initializes a session with MCP and exchanges JSON-RPC requests to interact with various utilities — for instance, retrieving layout data or uploading images. However, by crafting malicious URLs or headers, an attacker could inject arbitrary commands executed with the server’s process privileges.

Such an attack could be carried out either within a local network — through a compromised corporate host or a public Wi-Fi connection — or via DNS Rebinding, requiring only that the victim visit a maliciously crafted website.

The report’s authors emphasized that the vulnerability originated from a design flaw in the fallback mechanism, where exec was used without validating the reliability of input data. As a result, a tool intended for local interaction with AI agents such as Cursor could become an entry point for a full-scale remote attack, potentially compromising developer projects and personal information.

The issue was patched in version 0.6.3, released on September 29, 2025. Developers are advised to avoid using child_process.exec for processing external input and instead adopt execFile, which prevents shell interpretation altogether.

Representatives from Imperva noted that as AI-assisted development tools evolve, greater attention must be paid to the security of local components, not just external APIs, since even seemingly isolated modules can become the weakest link in an organization’s infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy