Overview
Command injection in the Framelink Figma MCP server's fetch-with-retry.ts module. When the standard fetch fails, the server falls back to executing curl via child_process.exec without sanitizing the URL, enabling arbitrary command execution. Over 600,000 downloads and 10,000+ GitHub stars. CVSS 8.0.
Who Is Affected
Discovered by Imperva Threat Research. Affects users of the extremely popular Framelink Figma MCP server (600K+ downloads), used to bridge Figma design data into AI-powered development workflows.
Where It Exists
The vulnerability is in fetch-with-retry.ts. When a standard HTTP fetch call fails, the fallback code constructs a curl command by concatenating the URL string directly into child_process.exec without any sanitization.
When It Was Found
Published October 2025 by Imperva. Affects versions < 0.6.3. Fixed September 29, 2025. The wide install base (600K+ downloads) made this a high-profile disclosure.
How It Works
An attacker crafts a URL containing shell metacharacters that gets passed to the Figma MCP server's fetch function. When the standard fetch fails (which can be triggered by specific URL patterns), the fallback curl execution runs the injected commands. This can be triggered via prompt injection in Figma design file names, text layers, or component descriptions.
Impact
Full remote code execution on the server host. Given the popularity of this server in design-to-code workflows, the blast radius is enormous. Attackers can steal Figma API tokens, access source code, install backdoors, and compromise the development environment.
Mitigation
Update to Framelink Figma MCP server v0.6.3 or later. Never use child_process.exec with string concatenation for URL fetching. Use execFile with argument arrays or stick to native fetch/HTTP libraries. Audit all MCP server dependencies for similar fallback-to-shell patterns.