1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Worrying Figma MCP security flaw could let hackers execute code r

    From TechnologyDaily@1337:1/100 to All on Thursday, October 09, 2025 16:15:08
    Worrying Figma MCP security flaw could let hackers execute code remotely - here's how to stay safe

    Date:
    Thu, 09 Oct 2025 15:11:00 +0000

    Description:
    A command injection flaw was recently found in an npm package used to connect Figma to AI agents.

    FULL STORY ======================================================================CVE-2025 -53967 allows remote code execution via figma-developer-mpc command injection flaw Vulnerability stems from unvalidated input passed to shell commands
    using child_process.exec Users should upgrade to version 0.6.3 or switch to safer child_process.execFile API

    A vulnerability has been found on the bridge between Figma and AI agents
    which could be used to remotely execute malicious code on compromised endpoints , experts have warned.

    A new security advisory published on GitHub says the figma-developer-mpc npm package is vulnerable to a command injection flaw.

    Figma is a cloud-based design tool built for developing user interfaces, websites, and apps. The figma-developer-mcp server is a small package that connects Figma to AI coding agents like Cursor or GitHub Copilot through the Model Context Protocol (MCP) and lets AI tools interact with Figma through
    its API. It is something like a bridge between Figma and AI agents. How to stay safe

    There is also Framelink - a third-party integration built on top of Figmas Developer MCP server, which lets these AI systems interact with Figma documents: fetching design elements, reading structure, or even generating code from design layouts.

    Now, security researchers found that figma-developer-mpc is vulnerable to a command injection flaw that allows threat actors to insert special characters into the input and trick the system into running any command they want. It is tracked as CVE-2025-53967, and was given a severity score of 7.5/10 (high).

    "The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility
    of shell metacharacter injection (|, >, &&, etc.)," the GitHub advisory
    reads. "Successful exploitation can lead to remote code execution under the server process's privileges."

    To address the flaw, users should grab version 0.6.3 of figma-developer-mpc, published on September 29, 2025.

    Those that cannot do that right now should stop using child_process.exec with untrusted input, and instead switch to child_process.execFile - a much safer API that allows users to pass arguments as a separate array - avoiding shell interpretation entirely.

    Via The Hacker News You might also like WordPress users beware - this
    popular plugin has been hijacked to push potential malware Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/worrying-figma-mcp-security-flaw-could- let-hackers-execute-code-remotely-heres-how-to-stay-safe


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)