CVE-2025-56803
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-26

Assigner: MITRE

Description
Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-26
Generated
2026-05-07
AI Q&A
2025-09-03
EPSS Evaluated
2026-05-05
NVD
CVE-2025-56803
EUVD
EUVD-2025-26625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
figma desktop 125.6.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a command injection flaw in Figma Desktop for Windows version 125.6.5, specifically in its local plugin loader. The application reads the "build" field from a plugin's manifest.json file and passes its value directly to the Node.js child_process.exec() function without any validation or sanitization. This allows an attacker to craft a plugin manifest with malicious commands in the "build" field, which the application will execute immediately upon loading the plugin, enabling arbitrary operating system command execution. [1]


How can this vulnerability impact me? :

This vulnerability can lead to remote code execution (RCE) on the affected system. An attacker can execute arbitrary OS commands with the privileges of the Figma Desktop application user, potentially leading to full system compromise, data theft, installation of malware, or disruption of system operations without any user interaction or warnings. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by inspecting the manifest.json files of installed Figma plugins for the presence of a "build" field containing suspicious or unexpected commands. Since the vulnerability involves execution of commands from this field, you can look for plugins with a "build" field set to executable commands. For example, you can search for manifest.json files containing the "build" field using a command like: find <plugin-directory> -name manifest.json -exec grep -H '"build"' {} \;. Additionally, monitoring process creation events for unexpected commands launched by the Figma Desktop application may help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of plugins that contain a "build" field in their manifest.json files or verifying and removing any plugins with suspicious "build" commands. Additionally, applying strict input validation on the "build" field or disabling plugin loading until a patch is available can reduce risk. Developers should replace the use of child_process.exec() with safer alternatives that handle arguments explicitly to prevent command injection. Users should also update to a fixed version of Figma Desktop once available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart