CVE-2025-53967

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-53967
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53967.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-53967
Aliases
Published
2025-10-08T17:15:34.507Z
Modified
2026-03-15T14:53:08.281513Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. Exploitation requires network access to the MCP interface.

References

Affected packages

Git / github.com/GLips/Figma-Context-MCP

Affected ranges

Type
GIT
Repo
https://github.com/GLips/Figma-Context-MCP
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
927f2c1984c1274f24a02bb41dafcdf92dd2e832
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.6.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/glips/figma-context-mcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
927f2c1984c1274f24a02bb41dafcdf92dd2e832

Affected versions

v0.*
v0.2.2
v0.2.2-beta.0
v0.2.2-beta.1
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.6.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53967.json"