Full Report
Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can
Analysis Summary
# Vulnerability: Command Injection in Framelink Figma MCP Server Leading to RCE
## CVE Details
- CVE ID: CVE-2025-53967
- CVSS Score: 7.5 (High)
- CWE: CWE-78 (Improper Neutralization of Special Elements used as User-Controllable Input When Performing a Command or Operating System Call)
## Affected Systems
- Products: Framelink Figma Model Context Protocol (MCP) Server (specifically the figma-developer-mcp package)
- Versions: Prior to v0.6.3
- Configurations: Instances where the fallback mechanism relies on executing system commands using unsanitized user input.
## Vulnerability Description
The vulnerability is a command injection flaw residing in the fallback mechanism within file fetching logic (`src/utils/fetch-with-retry.ts`). When the initial connection attempt using the standard `fetch` API fails, the server defaults to executing a `curl` command via `child_process.exec`. Crucially, the URL and header values used to construct this shell command are interpolated directly without proper sanitization. This allows an attacker to inject shell metacharacters (such as `|`, `>`, `&&`) into the command string, leading to the execution of arbitrary system commands under the privileges of the server process. This interaction is often mediated through tools used by AI coding agents like Cursor.
## Exploitation
- Status: PoC available (Reported by Imperva)
- Complexity: Medium
- Attack Vector: Network (Can be triggered remotely by sending specially crafted requests, potentially via DNS rebinding attacks in some scenarios).
## Impact
- Confidentiality: High (Possibility of data exposure by executing OS commands)
- Integrity: High (Potential for arbitrary code execution)
- Availability: High (Potential for system disruption through command execution)
## Remediation
### Patches
- Patch Release: **version 0.6.3** of figma-developer-mcp (released September 29, 2025).
### Workarounds
- Avoid using `child_process.exec` with any untrusted input.
- Developers should switch to using `child_process.execFile` instead, as it eliminates the risk of shell interpretation when executing external commands.
## Detection
- Indicators of compromise: Unauthorized system command execution originating from the MCP server process. Anomalous outbound network connections or file system activity from the service account running the MCP server.
- Detection methods and tools: Review server execution logs for unusual invocations of system binaries like `curl` constructed from user-supplied URL or header parameters. Monitoring for shell metacharacters (`|`, `>`, `&&`) being directly passed to execution contexts.
## References
- Vendor Advisory/Advisories: [Disclosed via GitHub advisory - GHSA-gxw4-4fc5-9gr5](https://github.com/advisories/GHSA-gxw4-4fc5-9gr5)
- Relevant links:
- [The Hacker News Article discussing the flaw](https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html)
- [Imperva analysis of CVE-2025-53967](https://www.imperva.com/blog/another-critical-rce-discovered-in-a-popular-mcp-server/)