The figma-developer-mcp Model Context Protocol (MCP) server contained a command injection vulnerability (CVE-2025-53967) stemming from a design oversight in how it constructs shell commands. Specifically, the server uses the Node.js child_process.exec function to execute curl commands as a fallback when the standard fetch API fails. This curl command is constructed by directly interpolating user-supplied URL and header values into a shell command string without proper sanitization or escaping. This allows an attacker to inject shell metacharacters (e.g., |, >, &&) into these inputs, resulting in arbitrary command execution on the host system with the privileges of the MCP server process. The MCP server is used to facilitate AI-powered coding agents interacting with Figma’s API, making it a critical component in developer workflows. The exploitation sequence involves sending an Initialize request to obtain a session ID, followed by JSONRPC requests invoking tools like get_figma_data or download_figma_images. An attacker on the same network or via DNS rebinding can exploit this remotely without authentication or user interaction. The vulnerability was discovered and reported by Imperva in July 2025 and patched in version 0.6.3 released on September 29, 2025. The root cause lies in the fallback mechanism implemented in src/utils/fetch-with-retry.ts, where the unsafe use of child_process.exec introduces the injection vector. The recommended fix is to avoid child_process.exec with untrusted input and switch to child_process.execFile, which does not invoke a shell and thus mitigates injection risks. This vulnerability highlights the risks posed by AI-driven development tools when security is not integrated into their design.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of development environments and potentially sensitive project data. Successful exploitation could allow attackers to execute arbitrary commands remotely, leading to full system compromise of the MCP server host. This could result in unauthorized access to proprietary source code, intellectual property theft, injection of malicious code into development pipelines, and disruption of software delivery processes. Given the integration of MCP servers with AI-powered coding assistants, attackers could manipulate development workflows or exfiltrate data stealthily. Organizations relying on Figma and associated developer tools may face operational downtime, reputational damage, and compliance violations, especially under GDPR requirements for data protection. The vulnerability’s ability to be exploited remotely without authentication or user interaction increases the attack surface, particularly in environments where developers use public or shared networks. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of patching to prevent future attacks.

European organizations should immediately upgrade to figma-developer-mcp version 0.6.3 or later to apply the official patch. Review and audit any custom integrations or scripts that interact with the MCP server to ensure they do not use child_process.exec with untrusted input. Replace any such usage with child_process.execFile or equivalent safe APIs that avoid shell interpretation. Implement network segmentation and restrict MCP server access to trusted internal networks to reduce exposure to remote attackers. Monitor network traffic and logs for unusual JSONRPC requests or unexpected shell command executions originating from MCP servers. Educate developers and DevOps teams about the risks of command injection and the importance of input validation and sanitization. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious command execution attempts. Finally, incorporate secure coding practices and security reviews into the development lifecycle of AI-powered tools to prevent similar design oversights.