- CVE-2025-53967 allows the execution of remote code via Figma-Developer-MPC command error
- Vulnerability derives from unfortunate input transferred to Shell commands using Child_process.exec
- Users need to upgrade to version 0.6.3 or switch to safer child_process.execile API
A vulnerability has been found on the bridge between Figma and AI agents, which could be used to remotely execute malicious code on compromised final points, experts have warned.
A new security advice published on GitHub says the ‘Figma-Developer-MPC’ NPM package is vulnerable to a command injection error.
Figma is a cloud -based design tool built to develop user interfaces, websites and apps. The Figma-Developer-MCP server is a small package that connects Figma to AI coding agents such as Marker or Github-Copilot through Model Context Protocol (MCP) and lets AI tools interact with Figma through its API. It’s something like a bridge between Figma and AI agents.
How to remain safe
There is also framelink -a third -party integration built on top of FIGMA’s developer MCP server that lets these AI systems interact with Figma documents: pick up design elements, reading structure or even generate code from design layouts.
Now, security researchers found that Figma-Developer-MPC is vulnerable to a command injection error that allows threat players to insert special characters into the input and fool system to run any command they want. It is traced as CVE-2025-53967 and got a severity of 7.5/10 (high).
“The server constructs and performs Shell commands using unfamiliar user input directly within command line strings. This introduces the possibility of Shell-Metacharacter injection (|,>, && etc),” reads GitHub advice. “Successful exploitation can lead to the performance of remote code under the privileges of the server process.”
To tackle the error, users must seize version 0.6.3 of Figma-Developer-MPC, which was published on September 29, 2025.
Those who can’t do it right now should stop using Child_process.exec with non -procedure input, and instead switch to Child_process.execfile – a “much safer API” that allows users to pass arguments such as a separate matrix – avoid Shell interpretation completely.
Via Hacker the news
