CVE-2025-53967

Name of the Vulnerable Software and Affected Versions Framelink Figma MCP Server versions prior to 0.6.3 Figma-developer-mcp versions prior to 0.6.3

Description A command injection flaw exists in the Framelink Figma MCP Server, allowing an unauthenticated remote attacker to execute arbitrary operating system commands. The vulnerability stems from the unsanitized use of user-supplied input within a

child process.exec

call. This enables an attacker to inject malicious commands that are executed with the privileges of the server process. Exploitation requires network access to the MCP interface. The vulnerability is present in the

fetchWithRetry

function, which falls back to executing a

curl

command via

child process.exec

when a standard fetch request fails. The command is constructed by directly interpolating URL and header values into a shell command string, creating a shell metacharacter injection risk. Attackers can leverage this flaw through various methods, including indirect prompt injection and by crafting malicious API requests. The server is popular, with around 100,000 monthly downloads. Successful exploitation can lead to remote code execution (RCE) on the host machine, potentially allowing attackers to access local files, exfiltrate credentials, or implant viruses. The vulnerability was discovered in July 2025 and addressed in version 0.6.3.

Recommendations Update to version 0.6.3 or later of figma-developer-mcp. Avoid using

child process.exec

with untrusted input. Use

child process.execFile

instead of

child process.exec

to avoid shell interpretation.