Worrying Figma MCP security flaw could let hackers execute code remotely - here's how to stay safe

News
By published

A command injection flaw was recently found in an npm package

Website screenshot of Figma (August, 2025)
(Image credit: Future)
  • CVE-2025-53967 allows remote code execution via figma-developer-mpc command injection flaw
  • Vulnerability stems from unvalidated input passed to shell commands using child_process.exec
  • Users should upgrade to version 0.6.3 or switch to safer child_process.execFile API

A vulnerability has been found on the bridge between Figma and AI agents which could be used to remotely execute malicious code on compromised endpoints, experts have warned.

A new security advisory published on GitHub says the ‘figma-developer-mpc’ npm package is vulnerable to a command injection flaw.

Figma is a cloud-based design tool built for developing user interfaces, websites, and apps. The figma-developer-mcp server is a small package that connects Figma to AI coding agents like Cursor or GitHub Copilot through the Model Context Protocol (MCP) and lets AI tools interact with Figma through its API. It is something like a bridge between Figma and AI agents.

How to stay safe

There is also Framelink - a third-party integration built on top of Figma’s Developer MCP server, which lets these AI systems interact with Figma documents: fetching design elements, reading structure, or even generating code from design layouts.

Now, security researchers found that figma-developer-mpc is vulnerable to a command injection flaw that allows threat actors to insert special characters into the input and trick the system into running any command they want. It is tracked as CVE-2025-53967, and was given a severity score of 7.5/10 (high).

"The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.)," the GitHub advisory reads. "Successful exploitation can lead to remote code execution under the server process's privileges."

To address the flaw, users should grab version 0.6.3 of figma-developer-mpc, published on September 29, 2025.

Those that cannot do that right now should stop using child_process.exec with untrusted input, and instead switch to child_process.execFile - a “much safer API” that allows users to pass arguments as a separate array - avoiding shell interpretation entirely.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.