CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Command Injection Vulnerability in Figma MCP

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution.

Timeline

  1. 08.10.2025 13:58 1 articles · 4h ago

    Command Injection Vulnerability in Figma MCP Disclosed

    A command injection vulnerability (CVE-2025-53967) in the Figma MCP server was disclosed. The flaw allows remote code execution due to unsanitized user input. The vulnerability was discovered in July 2025 and was patched in version 0.6.3 of figma-developer-mcp. The issue affects developers using AI-powered coding agents like Cursor. The flaw can be exploited by attackers on the same network or via DNS rebinding attacks. The vulnerability resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings.

    Show sources

Information Snippets