Researchers from Imperva have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp (Model Context Protocol, MCP) server. The issue allowed attackers to remotely execute arbitrary code.
The vulnerability has been assigned the identifier CVE-2025-53967 (7.5 on the CVSS scale) and is a command injection issue caused by unescaped user input. As a result, attackers can execute arbitrary system commands.
“The server constructs and executes shell commands by directly inserting unvalidated user input into the command line. This creates a risk of injecting shell metacharacters (|, >, &&, and others),” reads the bug description on GitHub. “Successful exploitation of the vulnerability can lead to remote code execution with the privileges of the process.”
Since Framelink Figma MCP provides various tools for interacting with Figma via AI agents such as Cursor, an attacker can trick the MCP client into performing unwanted actions through an indirect prompt injection.
Researchers at Imperva, who discovered this vulnerability in July 2025, described CVE-2025-53967 as an “architectural oversight” in the fallback mechanism that allowed attackers to achieve remote code execution and put developers at risk of data leakage.
As the researchers explain, the bug occurs “during the construction of the command line used to send traffic to the Figma API endpoint.
Exploitation of the vulnerability proceeds in several steps:
- The MCP client sends an Initialize request to the MCP endpoint to obtain the mcp-session-id identifier, which is used for further communication with the server.
- The client sends a JSONRPC request with the method tools/call to invoke tools such as get_figma_data or download_figma_images.
The issue lies in the src/utils/fetch-with-retry.ts file, where, when a standard fetch API request fails, a curl command is executed via child_process.exec, which opens the door to injections and command-injection vulnerabilities.
As a result, an attacker on the same network (for example, on public Wi‑Fi or a compromised corporate network) can exploit CVE‑2025‑53967 by sending a series of requests to a vulnerable MCP. Additionally, the victim can be tricked into visiting a specially crafted website as part of a DNS rebinding attack.
The vulnerability was fixed in figma-developer-mcp version 0.6.3, released on September 29, 2025. Additionally, to protect against similar attacks, it is recommended to avoid using child_process.exec with untrusted input and switch to child_process.execFile.
“As AI development tools evolve and become more widespread, it is crucial that security keeps pace with innovation,” the experts note. “This bug serves as a reminder that even local tools can become a convenient entry point for attackers.”