- A command injection vulnerability was found in the figma-developer-mcp Model Context Protocol (MCP) server.
- The flaw could allow attackers to run arbitrary system commands and achieve remote code execution.
- The issue stems from unvalidated user input used in shell commands executed via child_process.exec.
- The vulnerability was fixed in version 0.6.3 of figma-developer-mcp, released on September 29, 2025.
- Security experts highlight the risk this flaw poses to AI-powered development tools integrated with Figma and similar platforms.
Cybersecurity researchers disclosed a vulnerability in the figma-developer-mcp Model Context Protocol (MCP) server that could enable attackers to execute arbitrary system commands remotely. The issue was publicly reported on October 8, 2025, and affects the widely used MCP server connected to Figma, an online design platform.
The vulnerability, identified as CVE-2025-53967 with a CVSS score of 7.5, results from unsafe handling of user input when constructing shell commands. The server uses unvalidated input directly in command-line strings, allowing shell metacharacter injection such as |, >, &&, enabling attackers to inject and execute malicious commands. This flaw was addressed by Imperva, the cybersecurity company that discovered and reported it in July 2025.
According to the GitHub advisory, exploitation occurs when the MCP client sends requests that invoke tools like get_figma_data or download_figma_images via JSONRPC calls. The root cause lies in the file “src/utils/fetch-with-retry.ts,” which tries to fetch data using the standard API and, if it fails, runs a curl command through child_process.exec. Because inputs are directly embedded in the shell command without validation, attackers can craft inputs that inject arbitrary shell code.
“Because the curl command is constructed by directly interpolating URL and header values into a shell command string, a malicious actor could craft a specially designed URL or header value that injects arbitrary shell commands,” Imperva explained. This leads to remote code execution on the host machine with the server’s privileges.
Attackers on the same network or those who trick users into visiting malicious websites via DNS rebinding attacks can trigger the exploit. The vulnerability was patched in version 0.6.3 of figma-developer-mcp, released on September 29, 2025. The fix includes avoiding the use of child_process.exec with untrusted data and switching to safer methods like child_process.execFile that do not allow shell interpretation.
Experts warn that as AI-driven development tools, such as Cursor, increasingly integrate with platforms like Figma, security risks become more critical. The flaw underlines potential dangers when local tools serve as entry points for attackers.
In related news, security researchers at FireTail disclosed that Google’s Gemini AI chatbot has an unresolved ASCII smuggling technique vulnerability. This attack method can bypass security filters and induce harmful behavior, representing a broader challenge for AI systems embedded deeply into enterprise platforms.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum Eyes $4,811 Breakout as Analysts Predict $8,500 Surge
- Dogecoin Leads Crypto Decline, BNB Hits Record High Amid Market Drop
- MSTR Premium to Bitcoin Hits 19-Month Low, Investor Optimism Fades
- Forward Industries Launches Top 10 Solana Validator at 0% Fee
- Gold Hits $4,035 High as Seven Nations Drive XAU/USD Surge
