Security alert graphic: Cracked Figma logo with red lightning bolt striking MCP server code lines, injecting shell commands; background shows remote hacker silhouette executing code on a laptop, patch badge for v0.6.3, and warning icons for AI tools like

A critical command injection vulnerability (CVE-2025-53967, CVSS 7.5) in Figma's figma-developer-mcp server has been patched, but it previously allowed attackers to execute arbitrary system commands remotely. Discovered by Imperva in July 2025, the flaw stems from unsanitized user input in shell commands, particularly in the fallback curl execution via child_process.exec in src/utils/fetch-with-retry.ts. This "design oversight" could let bad actors inject metacharacters (like | or &&) to run malicious code under server privileges, risking data exposure for developers using AI tools like Cursor.

Security alert graphic: Cracked Figma logo with red lightning bolt striking MCP server code lines, injecting shell commands; background shows remote hacker silhouette executing code on a laptop, patch badge for v0.6.3, and warning icons for AI tools like Security alert graphic: Cracked Figma logo with red lightning bolt striking MCP server code lines, injecting shell commands; background shows remote hacker silhouette executing code on a laptop, patch badge for v0.6.3, and warning icons for AI tools like

Exploitation unfolds through MCP client interactions: an Initialize request grabs a session ID, followed by a tools/call JSONRPC to Figma APIs. If the standard fetch fails, the vulnerable curl command interpolates untrusted URLs or headers, enabling RCE. Attackers on the same network (e.g., public Wi-Fi) or via DNS rebinding could trigger it by luring victims to malicious sites. The issue highlights risks in AI-driven dev tools, where indirect prompt injection could hijack operations like get_figma_data.

Security alert graphic: Cracked Figma logo with red lightning bolt striking MCP server code lines, injecting shell commands; background shows remote hacker silhouette executing code on a laptop, patch badge for v0.6.3, and warning icons for AI tools like Security alert graphic: Cracked Figma logo with red lightning bolt striking MCP server code lines, injecting shell commands; background shows remote hacker silhouette executing code on a laptop, patch badge for v0.6.3, and warning icons for AI tools like

Figma fixed it in version 0.6.3 on September 29, 2025—update now and avoid child_process.exec with untrusted input, opting for execFile instead. This comes amid rising AI threats, like Google's unpatched ASCII smuggling in Gemini, which bypasses filters for data poisoning in Workspace integrations. As LLMs power enterprise tools, prioritizing security in local-run agents is crucial to block these evolving attack vectors.
 
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security