Cybersecurity researchers disclosed a now-patched command injection vulnerability in the figma-developer-mcp Model Context Protocol server that could allow attackers to achieve code execution, according to a GitHub advisory. The flaw is tracked as CVE-2025-53967 and carries a CVSS score of 7.5.
The advisory says the server constructs and executes shell commands using unvalidated user input, introducing the possibility of shell metacharacter injection such as |, > and &&. The advisory warned that successful exploitation can lead to remote code execution under the server process’s privileges.
Security company Imperva, which discovered and reported the problem in July 2025, described the issue as a design oversight in a fallback mechanism that could allow full remote code execution. Imperva said the flaw occurs during construction of a command-line instruction used to send traffic to the Figma API endpoint.
The published exploitation sequence begins when an MCP client requests an mcp-session-id and then issues a JSONRPC tools/call request to invoke tools such as get_figma_data or download_figma_images. The root cause was identified in src/utils/fetch-with-retry.ts, where a failed fetch call falls back to invoking curl via child_process.exec, permitting interpolation of URL or header values into a shell command.
Maintainers released a fix in version 0.6.3 on September 29, 2025. The article recommends avoiding use of child_process.exec with untrusted input and switching to child_process.execFile to eliminate risk from shell interpretation.
The report placed the finding in a broader context of risks tied to AI-driven development tools and related attack techniques. It cited analysis and commentary from FireTail (said) and linked to further reading on attack methods and defenses at craft inputs, slip and security filters.