Zero-click RCE in Figma Desktop

🎨 Zero-click RCE in Figma Desktop

Benjamin Mamoud's research shows how a chain of flaws in Figma Desktop led to remote code execution.

The issue began with prototype pollution: the UI blocked the use of proto, but the plugin API still passed such an object to figma.combineAsVariants(). This allowed modification of Object.prototype.

The researcher then exploited a race condition in $INTERNAL_DO_NOT_USE$RERUN_PLUGIN$ to restart the plugin in the polluted context and overwrite the jsx_debugging flag. This exposed a hidden API — figma.jsx.deserialize.

Unsafe handling of JSX expressions then turned the prototype pollution into XSS through a modified error handler, errorHandler.

The final stage occurred on the Electron side. The IPC method writeFileToPath allowed arbitrary data to be written to a chosen path with insufficient restrictions. This enabled arbitrary file write and, ultimately, code execution with Figma Desktop client privileges.

Key stages of the chain:

• Prototype pollution — modification of Object.prototype via figma.combineAsVariants(); • Race condition — plugin restart in a polluted context; • JSX deserialization XSS — transition from prototype pollution to JavaScript execution; • Arbitrary file write → RCE — file write via IPC followed by code execution.

📎 Research: https://lab.ctbb.show/research/figma-desktop-zero-click-rce/

💬 Discuss