Technical Advisory: Figma MCP Server Remote Code Execution Vulnerability

Date: October 9, 2025

Severity: High

Package/Component: figma-developer-mcp (versions ≤0.6.2)

Advisories: GHSA-gxw4-4fc5-9gr5 • CVE-2025-53967

Executive Summary

What Happened:

A remote code execution vulnerability was discovered in the Figma MCP (Model Context Protocol) server package, affecting versions 0.6.2 and earlier. The vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions through specially crafted Figma file URLs.

Why It Matters:

• Supply Chain Security: Third-party MCP servers are integrated directly into AI agent workflows, creating a trusted execution path that bypasses traditional security boundaries
• AI Agent Trust Model: Agents often operate with elevated privileges and broad system access, amplifying the impact of compromised tools
• Rapid Adoption Risk: The MCP ecosystem is seeing rapid adoption without mature security vetting processes for community packages
• Attack Surface Expansion: Each MCP integration expands the agent's attack surface, and vulnerabilities can be exploited through natural language prompts

High-Level Risks:

• Remote code execution on developer workstations and production systems
• Credential theft from development environments
• Data exfiltration from systems with agent access
• Lateral movement through compromised development infrastructure

Immediate Actions:

1. Audit Dependencies: Review all MCP server configurations and identify Figma MCP usage
2. Update Immediately: Upgrade to version 0.6.3 or later where the vulnerability is patched
3. Verify Patching: Confirm updated versions are deployed across all environments
4. Monitor for IOCs: Review logs for suspicious Figma file URL processing or unexpected code execution

Overview

The Figma Developer MCP server contains a command injection vulnerability in versions 0.6.2 and earlier (GHSA-gxw4-4fc5-9gr5, CVE-2025-53967). The vulnerability stems from unsanitized use of input parameters within a call to child_process.exec, allowing attackers to inject arbitrary system commands through the get_figma_data tool. When exploited via indirect prompt injection or malicious tool calls, this can result in arbitrary code execution on the host system under the server process's privileges. Given the trusted position of MCP servers within agentic AI workflows, this vulnerability poses significant risk to organizations deploying AI agents with Figma integration capabilities.

Risk Analysis

This vulnerability is particularly concerning in the context of agentic AI systems due to:

1. Trusted Tool Integration: MCP servers operate as trusted components within agent architectures, often with the same privilege level as the agent itself. Compromising an MCP server effectively compromises the agent's entire execution context.
2. Dynamic Tool Invocation: Agentic systems autonomously decide which tools to invoke based on user prompts and conversation context. An attacker could craft prompts that naturally lead the agent to process malicious Figma URLs, triggering the vulnerability without the user's awareness.
3. Privilege Escalation Pathway: Agents frequently operate with elevated permissions to accomplish their tasks (file system access, network access, credential access). Exploiting this vulnerability grants attackers the same elevated privileges, enabling rapid lateral movement and data exfiltration.

Technical Details

The vulnerability manifests through command injection in the get_figma_data tool:

1. Root Cause:
   • The MCP server uses child_process.exec() with unsanitized user input to construct shell commands
   • The fileKey parameter is directly interpolated into a curl command without validation
   • Shell metacharacters (|, >, &&, $(), etc.) in the input are interpreted by the shell
   • Example vulnerable code pattern: curl -s -S --fail-with-body -L ${headers} "${url}"
2. Exploitation Path:
   • Attacker provides prompt to AI agent that includes malicious shell commands in the fileKey parameter
   • Example payload: fileKey="$(id>/tmp/TEST)" or fileKey="; malicious_command;"
   • Agent invokes the get_figma_data tool with the malicious parameter
   • The injected commands execute with the privileges of the MCP server process
   • Attacker gains arbitrary code execution on the host system

Impact

Systems affected by this vulnerability may experience:

• Arbitrary Code Execution: Attackers can execute any code on the host system running the vulnerable MCP server
• Data Exfiltration: Access to sensitive files, credentials, environment variables, and other data accessible to the agent
• System Compromise: Installation of backdoors, persistence mechanisms, or additional malware
• Credential Theft: Extraction of API keys, tokens, SSH keys, cloud credentials, and other authentication materials
• Lateral Movement: Using compromised systems as pivot points to attack other systems in the network
• Supply Chain Contamination: Injection of malicious code into build artifacts, repositories, or deployment pipelines

Affected Versions

The following versions are known to be affected:

• figma-developer-mcp ≤ 0.6.2 (all versions up to and including 0.6.2)

Patched versions:

• ≥ 0.6.3 (version 0.6.3 and later are not affected)

Immediate Mitigation Steps

1. Identify Vulnerable Installations:
2. # Check npm packages
npm list figma-developer-mcp

# Check MCP configuration files
grep -r "figma-developer-mcp" ~/.config/


3. Update to Patched Version:
4. # Update to version 0.6.3 or later
npm update figma-developer-mcp

# Or explicitly install latest version
npm install figma-developer-mcp@latest


5. Verify Patch Application:
   • Confirm version 0.6.3 or higher is installed across all environments
   • Review MCP server configuration files to ensure updated versions are referenced
   • Restart any running MCP server instances to apply updates
6. Review for Compromise:
   • Examine system logs for suspicious Figma URL processing around the time of vulnerability disclosure
   • Check for unexpected network connections or child processes spawned by MCP server
   • Review file system for unauthorized modifications
   • Audit credential usage for signs of unauthorized access
7. Implement Monitoring:
   • Subscribe to security advisories for MCP packages
   • Enable logging for all MCP server tool invocations
   • Set up alerts for anomalous behavior patterns

Long-term Recommendations

1. MCP Security Governance:
   • Establish approval process for adding new MCP servers to agent configurations
   • Require security review of community MCP packages before adoption
   • Maintain inventory of all MCP servers in use across the organization
   • Implement automated vulnerability scanning for MCP dependencies
2. Agent Security Hardening:
   • Run MCP servers with least-privilege principles (restricted file system, network access)
   • Implement sandboxing or containerization for MCP server execution
   • Enable human-in-the-loop approval for high-risk tool invocations
   • Deploy runtime monitoring and anomaly detection for agent behavior
3. Supply Chain Security:
   • Prefer official, vendor-maintained MCP servers over community packages where possible
   • Pin MCP server versions and test updates in non-production environments before deployment
   • Monitor security advisories and CVE databases for MCP-related vulnerabilities
   • Implement dependency scanning in CI/CD pipelines to catch vulnerable MCP packages

Framework Context

This vulnerability aligns with multiple security frameworks:

• OWASP ASI T11 Unexpected RCE: Agentic systems with tool access can be exploited to achieve remote code execution through vulnerabilities in integrated components, bypassing traditional security controls
• OWASP ASI T2 Tool Misuse: The vulnerability enables adversarial misuse of the Figma MCP tool, allowing attackers to leverage the agent's dynamic tool invocation capabilities for malicious purposes
• OWASP LLM03:2025 Supply Chain: The vulnerability demonstrates supply chain risks in AI systems, where third-party tool integrations can introduce critical security weaknesses
• CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'): The vulnerability stems from constructing shell commands using externally-influenced input without proper neutralization of shell metacharacters

Updates

Organizations should verify that all Figma MCP server installations have been updated to version 0.6.3 or later. Additional information about this vulnerability will be added as it becomes available through security advisories and vulnerability databases.

‍