A newly discovered flaw in the Figma MCP server could allow attackers to execute code remotely. The vulnerability, tracked as CVE-2025-53967 with a CVSS score of 7.5, is a command injection bug. This vulnerability allows attackers to send arbitrary system commands by exploiting how the server uses unsanitized user input. This flaw is particularly concerning because the server exposes tools that use AI-powered coding agents, such as Cursor, allowing an attacker to indirectly manipulate the agent’s actions through a type of prompt injection.
The vulnerability was discovered and reported in July 2025 by the cybersecurity company Imperva, who described it as a “design oversight.” It happens when the server builds and runs shell commands using unvalidated user input. This oversight creates an opportunity for attackers to inject special shell characters (like |, >, and &&), which can lead to remote code execution with the same privileges as the server process. According to Imperva security researcher Yohann Sillam, the flaw occurs specifically during the creation of a command-line instruction used to send traffic to the Figma API endpoint.
The exploitation process happens in a series of steps. First, the MCP client sends an “Initialize” request to the server to get a session ID. Then, the client sends a “JSONRPC” request to call a tool, such as get_figma_data. The vulnerability’s core lies in the src/utils/fetch-with-retry.ts file. This script first tries to get content using the standard fetch API. If that fails, it falls back to executing a curl command through child_process.exec. Because this curl command is constructed by directly inserting URL and header values into a shell string, an attacker can use a specially crafted URL or header to inject arbitrary shell commands, leading to RCE on the host machine.
An attacker on the same network (for example, on public Wi-Fi or a compromised corporate device) can exploit this vulnerability by sending a series of requests to the vulnerable MCP. Alternatively, a victim could be tricked into visiting a specially crafted website as part of a DNS rebinding attack. The vulnerability was fixed in version 0.6.3 of figma-developer-mcp, released on September 29, 2025. To prevent similar issues, it’s recommended to avoid using child_process.exec with untrusted input and switch to child_process.execFile, which doesn’t interpret shell metacharacters.
This incident highlights a growing concern in the rapidly evolving landscape of AI-driven development tools. As these tools become more popular, it’s crucial that security measures keep up with innovation. This vulnerability serves as a stark reminder that even tools designed to run locally can become powerful entry points for attackers. This is especially relevant given another recent disclosure by FireTail: Google decided not to fix a new ASCII smuggling attack in its Gemini AI chatbot. This technique, which also affects other large language models like DeepSeek and xAI’s Grok, can be used to bypass security filters and induce undesirable responses.
Reference:
