AI/ML, AI benefits/risks, Patch/Configuration Management

RCE possible with Figma MCP vulnerability

Threat actors could exploit an already-patched high-severity flaw in the widely used Figma Model Context Protocol server, tracked as CVE-2025-53967, to facilitate remote code execution, according to The Hacker News.

Abuse of the command injection vulnerability, which stems from a command-line instruction created to send traffic to the Figma API endpoint, involves the delivery of an Initialize request to an MCP endpoint and the relaying of a JSONRPC request to the MCP server, enabling content acquisition via standard fetch API or curl command execution, noted Imperva, which discovered and reported the security issue. Attackers could also leverage the flaw in a DNS rebinding intrusion.

"As AI-driven development tools continue to evolve and gain adoption, it's essential that security considerations keep pace with innovation. This vulnerability is a stark reminder that even tools meant to run locally can become powerful entry points for attackers," said Imperva.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds