Critical Figma MCP Server Flaw Allows Remote Code Execution

A critical command injection vulnerability has been discovered in the figma-developer-mcp Model Context Protocol (MCP) server, a tool used to connect AI coding agents with Figma design data. This high-severity vulnerability, identified as CVE-2025-53967 and rated 7.5 on the CVSS scale, enables an unauthenticated attacker to remotely execute arbitrary code on a developer’s machine

The MCP server is designed to perform various Figma operations, often triggered by AI agents. The flaw exists in a fallback mechanism within the server’s code, specifically in how it handles API requests. If an initial fetch API call fails, the server constructs a curl command to retry the request. However, it directly interpolates user-provided data into this command string without proper validation.

This allows an attacker to inject malicious shell metacharacters into the command. By crafting a special request, a threat actor can trick the server into executing arbitrary system commands with the same privileges as the server process. The attack can be initiated through several vectors, including indirect prompt injection via an AI client, a DNS rebinding attack by luring a victim to a malicious website, or by a malicious actor on the same local network (such as a public Wi-Fi). This design oversight effectively turns a local development tool into a significant security risk, potentially exposing sensitive developer environments to complete takeover. The vulnerability has been addressed in version 0.6.3 of the figma-developer-mcp package, and all users are urged to update immediately.

Successful exploitation of this RCE vulnerability could grant a threat actor significant control over the host machine. The access could lead to the compromise of highly sensitive developer data and corporate assets. The potentially compromised data and systems include: