CVE-2025-53967: 
JavaScript vulnerability analysis and mitigation

A critical command injection vulnerability (CVE-2025-53967) was discovered in the Framelink Figma MCP Server versions prior to 0.6.3. The vulnerability allows an unauthenticated remote attacker to execute arbitrary operating system commands through a crafted HTTP POST request. The issue was discovered in July 2025 and was fully patched in September 2025 (Imperva Blog, NVD).

The vulnerability stems from improper input sanitization in the fetchWithRetry function within src/utils/fetch-with-retry.ts. When the primary fetch API call fails, the function falls back to using curl via child_process.exec, but directly interpolates URL and header values into the shell command string without proper validation. This implementation allows attackers to inject shell metacharacters that can execute arbitrary commands. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) with attack vector: adjacent network, attack complexity: high, privileges required: none, and user interaction: none (AttackerKB, Imperva Blog).

The vulnerability can lead to full remote code execution with the privileges of the MCP process. Successful exploitation allows attackers to achieve persistence on systems, exfiltrate sensitive assets including source code and API keys, poison AI-generated code through manipulated design input, move laterally within networks, and potentially deploy ransomware or other malicious payloads (Imperva Blog).

Users should immediately update to version 0.6.3 or later, which includes a complete fix for the vulnerability. The patch implements proper input validation and restricts the HTTP server to listen only on localhost. Alternatively, users can migrate to the official Figma MCP server. Organizations should also implement strict dependency management, conduct regular security reviews, and monitor security advisories (GitHub Release, Imperva Blog).