Figma MCP Vulnerability CVE-2025-53967 Enables Remote Code Execution—Update to v0.6.3 Now

A critical command injection vulnerability (CVE-2025-53967, CVSS 7.5) in Figma's figma-developer-mcp server has been patched, but it previously allowed attackers to execute arbitrary system commands remotely. Discovered by Imperva in July 2025, the flaw stems from unsanitized user input in shell commands, particularly in the fallback curl execution via child_process.exec in src/utils/fetch-with-retry.ts. This "design oversight" could let bad actors inject metacharacters (like | or &&) to run malicious code under server privileges, risking data exposure for developers using AI tools like Cursor.


Exploitation unfolds through MCP client interactions: an Initialize request grabs a session ID, followed by a tools/call JSONRPC to Figma APIs. If the standard fetch fails, the vulnerable curl command interpolates untrusted URLs or headers, enabling RCE. Attackers on the same network (e.g., public Wi-Fi) or via DNS rebinding could trigger it by luring victims to malicious sites. The issue highlights risks in AI-driven dev tools, where indirect prompt injection could hijack operations like get_figma_data.


Figma fixed it in version 0.6.3 on September 29, 2025—update now and avoid child_process.exec with untrusted input, opting for execFile instead. This comes amid rising AI threats, like Google's unpatched ASCII smuggling in Gemini, which bypasses filters for data poisoning in Workspace integrations. As LLMs power enterprise tools, prioritizing security in local-run agents is crucial to block these evolving attack vectors.
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security