A critical security flaw in the popular Model Context Protocol (MCP) server for Figma, figma-developer-mcp, has been patched after researchers demonstrated a path to remote code execution (RCE). Tracked as CVE-2025-53967 with a CVSS 7.5 score, the vulnerability stemmed from a fallback mechanism that constructed shell commands using untrusted input when Figma API requests failed. According to Imperva’s analysis, the issue exposed environments integrating MCP with AI agents such as Cursor to elevated risk.
Vulnerability overview: command injection in the curl fallback
The defect originated in src/utils/fetch-with-retry.ts. When a standard HTTP fetch call failed, the server attempted a retry by invoking curl via child_process.exec. Because user-controlled parameters were interpolated directly into a shell command without proper validation or escaping, attackers could inject shell metacharacters (for example: |, >, &&) and pivot to RCE with the privileges of the MCP process.
How the flaw was exploitable (CWE-78)
This behavior aligns with CWE-78: Improper Neutralization of Special Elements used in an OS Command. If the primary API call encountered an error, the fallback path built a command string that included attacker-supplied input. Without input sanitization or shell-neutral handling, malicious tokens became part of the executed instruction. The outcome: arbitrary command execution on the host running the MCP server.
Attack vectors: local network adversaries and DNS rebinding
Imperva reports that an attacker on the same network—think public Wi‑Fi or a compromised corporate segment—could deliver crafted requests to the vulnerable MCP instance and trigger RCE. The threat surface expands further with DNS rebinding, where a user is enticed to visit a booby-trapped site that resolves to local addresses, enabling cross-origin access to services assumed to be “local only.”
In AI-augmented developer workflows, the risk compounds. MCP-backed tools and AI agents may autonomously issue requests or follow instructions. This creates opportunities for indirect prompt injection to steer agents toward unsafe operations, potentially exfiltrating data or executing attacker-controlled commands when combined with a command injection bug.
Patch status and immediate actions
The vulnerability is fixed in figma-developer-mcp 0.6.3, released on 29 September 2025. Administrators and developers should update immediately. The key engineering change is to avoid child_process.exec with untrusted input and use child_process.execFile instead. Unlike exec, execFile does not invoke a shell, significantly reducing the risk of command injection.
Secure coding and hardening recommendations
Implement strict input validation and normalization for any parameters that can influence outbound requests or system calls. Prefer argument arrays over shell-constructed strings. Apply least-privilege principles so the MCP process runs with minimal rights, reducing blast radius if exploitation occurs.
Network defenses and operational controls
Restrict network exposure with host firewalls and source allowlists; bind services to localhost unless remote access is required. Mitigate DNS rebinding by enforcing Host header validation and restricting accepted origins. Audit and simplify fallback logic paths; avoid “silent” unsafe fallbacks and ensure errors are logged explicitly. Monitor process creation, network egress, and anomalous agent behavior for early detection.
Why this matters for AI developer tools
Local developer services—especially those orchestrating actions for AI agents—are increasingly targeted as entry points. Injection remains a top-tier risk class (see OWASP and MITRE CWE-78), and combining command injection with agent-driven automation magnifies potential impact: credential theft, lateral movement, and source code exfiltration. The lesson is clear: security must keep pace with automation. Design agent integrations, MCP plugins, and fallback routines with a default-deny mindset and clear trust boundaries.
Upgrade to figma-developer-mcp 0.6.3 or newer, replace shell-based fallbacks with execFile, validate all inputs, and lock down network access. Pair these technical controls with rigorous logging and review of agent behaviors. This layered approach materially lowers the likelihood of CVE-2025-53967 exploitation and strengthens the resilience of AI-enabled development environments.
