- CVE-2025-53967 allows remote code execution via figma-developer-mpc command injection flaw
- Vulnerability stems from unvalidated input passed to shell commands using child_process.exec
- Users should upgrade to version 0.6.3 or switch to safer child_process.execFile API
A vulnerability has been found on the bridge between Figma and AI agents which could be used to remotely execute malicious code on compromised endpoints, experts have warned.
A new security advisory published on GitHub says the ‘figma-developer-mpc’ npm package is vulnerable to a command injection flaw.
Figma is a cloud-based design tool built for developing user interfaces, websites, and apps. The figma-developer-mcp server is a small package that connects Figma to AI coding agents like Cursor or GitHub Copilot through the Model Context Protocol (MCP) and lets AI tools interact with Figma through its API. It is something like a bridge between Figma and AI agents.
How to stay safe
There is also Framelink – a third-party integration built on top of Figma’s Developer MCP server, which lets these AI systems interact with Figma documents: fetching design elements, reading structure, or even generating code from design layouts.
Now, security researchers found that figma-developer-mpc is vulnerable to a command injection flaw that allows threat actors to insert special characters into the input and trick the system into running any command they want. It is tracked as CVE-2025-53967, and was given a severity score of 7.5/10 (high).
“The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.),” the GitHub advisory reads. “Successful exploitation can lead to remote code execution under the server process’s privileges.”
To address the flaw, users should grab version 0.6.3 of figma-developer-mpc, published on September 29, 2025.
Those that cannot do that right now should stop using child_process.exec with untrusted input, and instead switch to child_process.execFile – a “much safer API” that allows users to pass arguments as a separate array – avoiding shell interpretation entirely.
Via The Hacker News