CVE-2025-56803

Name of the Vulnerable Software and Affected Versions Figma Desktop versions 125.6.5

Description Figma Desktop for Windows version 125.6.5 contains a command injection issue in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child process.exec without validation, potentially leading to remote code execution (RCE).

Recommendations Update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the use of local plugins until a patch is available.