This week, Imperva announced their discovery of a now-patched vulnerability in the popular Framelink Figma MCP server that could allow attackers to achieve remote code execution (RCE). CVE-2025-53967 is a high-severity (7.5/10) vulnerability that could have a large blast radius due to the project’s popularity. Since launching in February 2025, Framelink Figma MCP surpassed 100k downloads per month, has been forked 890 times (a strong signal of usage), and has accrued 11.1k GitHub stars. (The project’s popularity is understandable since the official Figma MCP Server wasn’t released until June 2025.)

What is the Framelink Figma MCP?

Framelink Figma MCP (also referred to as “figma-developer-mcp”) is the equivalent of a 3rd party plug-in used to expose Figma tools in AI code agents (like Cursor) via the Model Context Protocol. While news coverage makes it sound like there’s an issue with Figma, that's not the case. Framelink Figma MCP is maintained by a single individual (GLips) with minimal community contributions. 

What does CVE-2025-53967 do?

As Imperva says, “By exploiting a design oversight in Framelink’s fallback mechanism, an attacker could achieve full remote code execution, putting developer machines, design data, and connected networks at risk.”

RCEs are a significant risk (see Remote Code Execution Vulnerabilities in Apache Struts for more details) and often warrant high severity scores because of the potential to execute nefarious commands. In this case, versions before 0.6.3 can allow unauthorized users to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. 

Timeline 

Imperva hasn’t disclosed how they discovered the vulnerability, but we can speculate that like many research teams, they were researching the possibility of MCP servers as attack vectors. Likely they scanned the repo for known bad patterns, and picked up on the potential for RCE.

They shared the following timeline of events:

• July 8, 2025 – Initial contact with project maintainers to disclose the vulnerability
• July 15, 2025 – Maintainers acknowledged receipt of the report
• July 16, 2025 – Full technical report submitted to maintainers
• July 22, 2025 – Public pull request created, exposing details of the vulnerability
• August 13, 2025 – Partial fix merged, addressing only part of the issue
• September 29, 2025 – Complete fix released in version 0.6.3

Mitigation recommendations

The MCP server exposes an unauthenticated port that could be accessible to Chrome extensions and devices on your local network. This means that to be exploitable, you’d have to have something else on your network that’s already been compromised (e.g. a bad Chrome extension). Given the attacker is already in your network and able to make lateral movement, defensive security tools like a WAF won’t necessarily prevent access but it could prevent exfiltration.

All users should immediately update to version 0.6.3 or later. 

In addition, as this MCP server has several risk indicators (see below), users should consider migrating to the official Figma MCP Server. A company like Figma will have infrastructure in place to quickly remediate code bugs (i.e. in hours, not months), Figma also has an application security team. Odds are good that they would have been able to detect the RCE themselves through a SAST scan.

Are MCP servers dangerous?

That’s the question, isn’t it?! MCP servers allow AI agents to access thousands of third-party servers that enrich model context with external data, tools, and integrations. That includes bringing security scanning right into your AI code assistant. Our research has shown that the use of MCP servers in this manner vastly improves code security. That’s good, right?

Right…but that’s assuming you trust the MCP server developer to have followed security best practices. MCP servers don’t introduce an entirely new class of attacks, they do collapse multiple categories of existing risks (supply chain compromise, API abuse, and prompt manipulation) into one place. That makes them more challenging to develop securely, and a tempting target for bad actors. We’ll be publishing research soon on this topic, but here’s a teaser: We found that MCP servers are particularly vulnerable to brand-jacking and typosquatting attacks, and are prone to path traversal and code injection. Keep an eye out for our upcoming 2025 Dependency Management Report.

Vetting MCP servers

In talking with the community, I’ve found that security assessments of MCP servers are still somewhat immature because the technology itself is immature. In fact, many people say they decide whether to trust a MCP server based on whether they have an existing contract with a company. To vet MCP servers, we recommend full SAST and SCA scans (as you would with any other dependency/code). Also consider monitoring techniques (such as the MCP Inspector) that evaluate the runtime behavior. And when you’re evaluating a MCP server, consider its source in the same way you might an open source package. 

Governing MCP server usage

Further, many security teams say they have no viability into which MCP servers are being used. But that’s something most want to change by centrally governing MCP server usage. A first step in this direction is GitHub’s introduction of an MCP Registry and policies for configuring an allowlist of approved servers, ensuring developers in supported IDEs with Copilot can only see and run trusted MCP servers.

Should you approve usage of a 3rd party MCP server?

This is the really tough question because it comes down to organizational risk tolerance vs. preference for speed. Using Frameline Figma MCP as an example, we have a scrappy project that came to market six months before the official version. For users who really want features fast, that kind of speed makes the unofficial version attractive. But there are tradeoffs. Company-maintained MCP servers (like their products) tend to prioritize stability and security over velocity. 

Let’s assume you’re vetting Framelink Figma MCP for your organization, and you’ve already run SAST/SCA scans to look for vulnerabilities. There are risk factors you should weigh before approving usage. Based on a review of the repo, we can see:

• It’s a single maintainer, and the maintainer is not a professional developer, which are risk factors related to activity and code quality.
• The tool is written in JavaScript, which is notorious for dependency bloat, which is a risk factor for security (specifically CVEs).
• The package makes use of unpinned dependencies, which is a risk factor for security (specifically malware).

These factors combined tell us that this project has a higher-than-average probability that it could have future security and support issues.