A major security flaw has been discovered in the Figma Model Context Protocol (MCP) server, a tool commonly used by developers to integrate design and AI workflows. This vulnerability allows hackers to remotely execute code on a user’s system, putting development environments at serious risk. The flaw has been identified as CVE-2025-53967 and classified as a high-severity threat.
The issue lies in how the Figma MCP server processes certain commands. In versions up to 0.6.2, the software builds a shell command using user input without properly validating or cleaning it. Because of this, attackers can insert malicious code into that input. When the system runs the command, it also executes the injected code giving hackers the ability to control parts of the system remotely.
Experts explain that this type of weakness is known as a command injection vulnerability. It occurs when software allows untrusted data to be passed into a system command, which can then run unintended actions. In this case, the bug can lead to remote code execution (RCE), meaning an attacker could take full control of the machine running the MCP server if it’s exposed to external connections.
The vulnerability has been rated as “High” with a CVSS score of 7.5. This score means the flaw is serious enough to warrant immediate action, especially for developers using automated or networked environments. Fortunately, the maintainers of the project have already released a patched version, 0.6.3, that fixes the problem by properly sanitizing command inputs.
The core issue was found in a fallback function used by the MCP server. When a data fetch operation fails, the code runs a system command using child_process.exec a function that allows shell commands to be executed. However, the code inserted dynamic values (like URLs or headers) directly into the command string without validation. This gave attackers the chance to slip in extra commands by using special characters such as | or &&.
Security experts advise developers to update to version 0.6.3 or later immediately. If updating isn’t possible right away, it’s recommended to block network access to the MCP server from untrusted sources. Developers should also avoid passing untrusted input into child_process.exec altogether. Instead, they can use safer methods like child_process.execFile, which separates commands from arguments and prevents injection.
Until systems are patched, users should assume that any exposed MCP server is vulnerable. Teams are advised to scan their projects to identify if they use the figma-developer-mcp package and upgrade it across all environments. Restricting network access and monitoring unusual activity from the MCP process are also critical steps.
This vulnerability is particularly worrying because the MCP server often serves as a bridge between AI-powered development tools and Figma’s design platform. If that bridge is compromised, attackers could exploit it to run harmful code, steal project data, or disrupt workflows. For companies that rely on design-to-code pipelines, this flaw highlights how even small developer tools can become major security risks.
In summary, CVE-2025-53967 affects versions of the Figma MCP server up to 0.6.2 and allows attackers to execute arbitrary commands remotely. The fix is included in version 0.6.3, which is now available. Developers should update immediately, isolate vulnerable systems, and review any custom scripts that handle external inputs.
This incident serves as a strong reminder that even development tools need strict security practices. One weak link such as a command injection flaw can give attackers access to an entire system. Staying updated and vigilant is the best defense against such evolving cyber threats.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
