Framelink Figma MCP Server Passed Unsanitized Input to child_process.exec Enabling Prompt Injection RCE (CVE-2025-53967, CVSS 7.5)

The figma-developer-mcp (Framelink) MCP server used in Cursor passed unsanitized Figma file data to child_process.exec. Indirect prompt injection via Figma file content triggered shell metacharacter injection and RCE on developer machines. CVSS 7.5. Patched in v0.6.3.

Framelink Figma MCPTool execution / MCPIndirect prompt injection + shell metacharacter injection RCEDeveloper workstation / Cursor IDE / Figma MCP server

What happened

An attacker embedded shell metacharacters in Figma file layer names or component metadata. When the AI assistant called get_figma_data to fetch design specifications, the unsanitized content was passed to child_process.exec, executing the attacker's shell commands on the developer's machine.

Why it matters

Full RCE on developer workstations running Cursor with the Framelink Figma MCP server. Attacker access to source code, environment variables, SSH keys, and any credentials accessible to the developer process.

Missing authorization check

MCP server tools that pass external data (from third-party services like Figma) to shell execution contexts must sanitize all inputs or use parameterized execution. User-controlled or third-party content must never be interpolated directly into shell commands.

Would PP block it?

A receipt gate forces human authorization before the MCP tool call runs, adding a human review opportunity that could catch suspicious Figma file interactions. The underlying fix requires using child_process.execFile with argument arrays instead of shell interpolation.

Incident analysis

Timeline and technical read

Timeline

2025-10-01
CVE-2025-53967 disclosed: Framelink Figma MCP server get_figma_data tool passes unsanitized Figma content to child_process.exec, enabling shell injection and RCE.
2025-10-01
Framelink releases figma-developer-mcp v0.6.3 patching the vulnerability by using execFile with argument arrays.

Technical breakdown

The get_figma_data tool fetched design data from Figma's API and passed layer names, component descriptions, and other metadata to child_process.exec as part of a shell command string.
Shell metacharacters (`;`, `|`, `$()`, backticks) in Figma content were not escaped, allowing injection of arbitrary shell commands.
The attack is indirect prompt injection: the attacker doesn't interact with the AI assistant directly but poisons the data source (Figma file) that the assistant reads.
Any designer with Figma edit access could trigger RCE on any developer using the MCP server — including developers on other teams who share the Figma organization.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP tool call authorization, shell execution boundary
Still needs: Unsanitized third-party content passed to shell execution; no input validation in MCP tool implementation
Receipt required for: Figma data fetch tool calls, any MCP tool that processes third-party file content

PP's Tool-Call Gate would require a receipt before the get_figma_data tool call executes. It would not prevent shell injection within the MCP server's internal implementation — that requires code-level fixes to use execFile or sanitize inputs.

Related incidents and controls

High2025-05-26

Invariant Labs: Malicious GitHub Issue Hijacked AI Assistant to Exfiltrate Private Repo Data via MCP Prompt Injection

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Tool-Call Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop