Listen to this Post
The vulnerability in the figma-developer-mcp server stems from the unsafe construction of a shell command using unsanitized user input. Within the `fetchWithRetry` function, when a fetch operation fails, the code constructs a curl command for a retry attempt. The user-controlled `url` parameter is directly interpolated into the shell command string without any sanitization. Specifically, the line `const curlCommand = \`curl -s -S –fail-with-body -L ${curlHeaders.join(” “)} “${url}”`;is executed viachild_process.exec. This function spawns a shell, meaning any shell metacharacters present in the `url` value will be interpreted by the shell. An attacker can provide a malicious `fileKey` argument to the `get_figma_data` tool, which is then used as part of theurl. By crafting a `fileKey` containing characters like$(),|, or&&`, followed by a system command, the attacker can break out of the intended command context and execute arbitrary operating system commands with the privileges of the MCP server process.
Platform: Figma Developer MCP
Version: <0.6.3
Vulnerability: Command Injection
Severity: Critical
date: 2024
Prediction: 2024-10-15
What Undercode Say:
cat /tmp/TEST1 npx -y figma-developer-mcp --stdio
const curlCommand = <code>curl -s -S --fail-with-body -L ${curlHeaders.join(" ")} "${url}"</code>;
child_process.exec(curlCommand, ...);
How Exploit:
Attacker supplies `$(id>/tmp/TEST1)` as fileKey.
Tool constructs URL: https://api.figma.com/v1/files/$(id>/tmp/TEST1).
Shell executes `id` command, writes output to `/tmp/TEST1`.
Protection from this CVE:
Update to version >=0.6.3.
Replace `child_process.exec` with `child_process.execFile`.
Implement strict input validation.
Impact:
Remote Code Execution
Full Server Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
