- Description
- Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. Exploitation requires network access to the MCP interface.
- Source
- cve@mitre.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8
- Impact score
- 5.8
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
- Severity
- HIGH
- cve@mitre.org
- CWE-420
- Hype score
- Not currently trending
Today's suggestion: "CVE-2025-53967 Remote Code Execution in Framelink Figma MCP Server" ❗️👩🏻💻 Credit: @EndorLabs 🌟🙌🏻 Link: https://t.co/oSXfkhI11T 🔗 #cybersecurity #infosec #cve202553967 #remoteecodexecution #rce #commandinjection #mcpsecurity #agen
@brcyrr
20 Oct 2025
5 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚩 Severe Figma MCP Vulnerability Enables Remote Code Execution (CVE-2025-53967) https://t.co/p9oPaVnid3 A command injection flaw in the figma-developer-mcp package allows attackers to inject shell metacharacters via unvalidated input, enabling arbitrary code execution under
@Huntio
18 Oct 2025
1624 Impressions
5 Retweets
14 Likes
4 Bookmarks
1 Reply
0 Quotes
⚠️ CVE-2025-53967: RCE in Figma’s MCP plugin. When #AI integrations forget to sanitize inputs, attackers find the door. #CybersecurityAwarenessMonth reminder: smart tools still need locks. Full story via @darkreading: https://t.co/hYBHVevHH0 @CISAgov @AppSec_Village #
@tzionit411
10 Oct 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ CVE-2025-53967: RCE in Figma’s MCP plugin. When AI integrations forget to sanitize inputs, attackers find the door. #CybersecurityAwarenessMonth reminder: smart tools still need locks. 🔐 Full story via @darkreading: https://t.co/xjcpGEdAhm @CISAgov #appsec #new
@AppSec_Village
10 Oct 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Figma 開發元件 figma-developer-mcp 被揭露命令注入漏洞 CVE-2025-53967 漏洞出在 fallback 下載流程以 curl 在 shell 中執行未淨化的 URL/header,攻擊者可注入 shell 指令取得系統執行權限。 若你有安裝此套件,請立即升級或暫
@lfcba8178
9 Oct 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Figma MCPの重大な脆弱性がリモートコード実行を許可 修正を急げ(CVE-2025-53967) https://t.co/L8hWEKbxF6 #Security #セキュリティー #ニュース
@SecureShield_
9 Oct 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-53967: figma-developer-mcp vulnerable to command injection in get_figma_data tool Advisory: https://t.co/wwuYGhvUQy CVSS: 7.5 Write-up: https://t.co/umSoEKozUp Write-up 2: https://t.co/m5NkpNsCkq Video Credit: Imperva https://t.co/i6PEUjMHSo
@DarkWebInformer
8 Oct 2025
5067 Impressions
6 Retweets
25 Likes
5 Bookmarks
1 Reply
0 Quotes
CVE-2025-53967 Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with … https://t.co/O79b3lh1V5
@CVEnew
8 Oct 2025
249 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
محققان امنیت سایبری جزئیات آسیبپذیری رفعشدهای را در سرور پروتکل زمینه مدل (MCP) محبوب figma-developer-mcp افشا کردهاند که میتواند به مهاجمان امکان اجرای کد
@Teeegra
8 Oct 2025
565 Impressions
0 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
Figma MCP server flaw (CVE-2025-53967) allows unauthenticated attackers to achieve remote code execution on developer machines. https://t.co/U4nPdnVKCV https://t.co/QW1jLcMjdB
@DailyDarkWeb
8 Oct 2025
5249 Impressions
5 Retweets
22 Likes
12 Bookmarks
0 Replies
1 Quote
📌 كشفت أبحاث الأمن السيبراني عن ثغرة خطيرة في بروتوكول نموذج السياق الخاص بفريق فيغما (MCP) تسمح للمهاجمين بتنفيذ التعليمات البرمجية عن بُعد. الثغرة، المر
@Cybercachear
8 Oct 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes