CVE-2025-53967

08.10.2025, 17:15

Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. Exploitation requires network access to the MCP interface.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
mitre	CNA	8 HIGH				CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-420 - Unprotected Alternate Channel
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

Vulnerability Media Exposure

[ENGLISH] Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely
Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can
Published: 2025-10-08T16:28:00+05:30

References

https://github.com/GLips/Figma-Context-MCP/blob/96b3852669c5eed65e4a6e20406c25504d9196f2/src/utils/fetch-with-retry.ts#L34

https://github.com/GLips/Figma-Context-MCP/releases/tag/v0.6.3

https://www.imperva.com/blog/another-critical-rce-discovered-in-a-popular-mcp-server/