GRAPHIC APPAREL SHOPFor many developers, Figma’s MCP (Model Context Protocol) server is a backbone for AI-driven workflows. But a recent security flaw transformed it from a productivity booster into a serious risk. This vulnerability, discovered in the widely used figma-developer-mcp server, exposed countless users to the possibility of remote code execution (RCE) until a patch was released.
What Went Wrong?
The issue at the heart of this incident was a command injection vulnerability, officially tracked as CVE-2025-53967 with a high CVSS score of 7.5. Security researchers found that improper input sanitization allowed attackers to inject arbitrary system commands. Since MCP servers enable advanced AI agents to perform automated Figma tasks, the implications were significant, any attacker exploiting this flaw could execute harmful actions remotely, potentially leading to data theft or system compromise.
How Attackers Could Exploit the Flaw
The vulnerability was due to the way the MCP server handled user inputs for shell commands. By interpolating these inputs directly into command-line strings without validation, the server became susceptible to shell metacharacter injection. Attackers could use characters like |, >, and && to append malicious commands, enabling full remote code execution under the server’s user permissions.
- An MCP client starts a session with an Initialize request.
- JSONRPC requests follow, triggering Figma actions such as data retrieval or image downloads.
- If the server’s main fetch method fails, it falls back on a
curlcommand viachild_process.exec, exposing the vulnerability.
Real-World Attack Scenarios
There were two primary exploitation methods. Attackers could either be on the same network, sending crafted requests directly, or use a DNS rebinding attack to trick a victim’s browser into targeting their local MCP server. In both cases, successful exploitation granted attackers the ability to run arbitrary commands, risking sensitive data and overall system integrity.
Rapid Response and Remediation
This critical flaw was responsibly disclosed by cybersecurity firm Imperva in July 2025. Figma responded quickly, releasing version 0.6.3 of the MCP in September 2025. The fix involved moving away from child_process.exec (wwhich interprets untrusted input as shell commands) and adopting child_process.execFile, a safer alternative that does not invoke a shell and thus blocks command injection attempts.
Broader Security Lessons for AI Tools
This incident highlights a growing concern as AI-powered development tools become more integrated into daily workflows. Even tools designed for local use can become threats if security best practices are not rigorously applied. This points to similar vulnerabilities in other platforms, such as Google’s Gemini chatbot, which reportedly remains open to ASCII smuggling attacks capable of bypassing filters and causing unexpected behavior.
Final Takeaway
Rapid disclosure and patching were vital in containing this Figma MCP threat, but the lesson extends far beyond one tool. Developers and organizations must stay vigilant, regularly update their software, and avoid risky coding practices like executing untrusted input in system commands. As AI automation proliferates, robust security hygiene is more critical than ever for protecting workflows and data.
Source: The Hacker News
Figma MCP Vulnerability: How a Simple Flaw Created Major Security Risks for Developers