HighPublic exploit

Command Injection RCE in Framelink Figma MCP Server

IdentifiersCVE-2025-53967CWE-78

CVE-2025-53967 is a high-severity command injection vulnerability in Framelink Figma MCP Server (also referenced as the Figma/figma-developer MCP server) before version 0.6.3. The flaw is caused by insufficient sanitization of user-controlled input that is incorporated into a shell command used by the server's fetchWithRetry logic, reportedly in src/utils/fetch-with-retry.ts. In vulnerable versions, attacker-supplied values can be passed into a curl command string, and shell metacharacters in a crafted HTTP POST / JSON-RPC request can break out of the intended command context and inject arbitrary operating system commands. Successful exploitation results in remote code execution as the MCP server process. Reporting also indicates the issue is related to use of child_process.exec with untrusted input, and that exploitation may be possible both through direct access to the MCP interface and in certain DNS rebinding scenarios.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful exploit allows an unauthenticated remote attacker to execute arbitrary OS commands with the privileges of the MCP process. This can enable full compromise of the application context, including access to data reachable by the MCP server, abuse of the server's Figma-related capabilities, installation of additional tooling or malware, credential and token theft from the host environment, pivoting to adjacent resources accessible from the compromised system, and modification of application behavior. Depending on deployment context, this may also expose developer workstations or locally run AI/developer tooling to compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the MCP interface to trusted local users or tightly controlled hosts only, and do not expose the service to untrusted networks. Apply strict input validation to reject shell metacharacters and other unexpected characters in any values that may reach command execution paths. Disable or isolate vulnerable functionality where feasible, run the MCP server with the least privileges possible, and place it in a constrained environment to limit post-exploitation impact. Defenses against DNS rebinding and similar browser-assisted access patterns should also be considered where the service is locally exposed.

Remediation

Patch, then assume compromise.

Upgrade Framelink Figma MCP Server to version 0.6.3 or later, which contains the patch for this issue. In code, eliminate shell-based command construction with untrusted input; specifically, avoid child_process.exec for attacker-influenced values and use safer process invocation patterns such as execFile/spawn with fixed arguments and no shell interpretation. Review the fetchWithRetry implementation and any similar code paths to ensure URLs, headers, and other request-derived values are never interpolated into shell command strings. Validate and sanitize all externally supplied input before use.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app

the hacker newsNews

Oct 13, 2025

⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

A vulnerability in Framelink Figma MCP server, listed as a trending CVE for the week. No further details provided.

scworldNews

Oct 9, 2025

RCE possible with Figma MCP vulnerability

A high-severity command injection vulnerability in the Figma Model Context Protocol (MCP) server that can be exploited to achieve remote code execution, including via crafted JSON-RPC/Initialize requests and potentially DNS rebinding scenarios.

cvefeed high severityNews

Oct 8, 2025

CVE-2025-53967 - Framelink Figma MCP Server Remote Command Injection

Unauthenticated remote command injection in Framelink Figma MCP Server (pre-0.6.3) via crafted HTTP POST input containing shell metacharacters that are passed into a curl invocation (fetchWithRetry), enabling arbitrary OS command execution with MCP process privileges.

the hacker newsNews

Oct 8, 2025

Severe Figma MCP Vulnerability Lets Hackers Execute Code Remotely — Patch Now

A command injection vulnerability in the figma-developer-mcp Model Context Protocol (MCP) server allows remote code execution via unsanitized user input in shell command construction. The flaw is due to direct interpolation of user-controlled values into shell commands, specifically when falling back to using curl via child_process.exec.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20