How to fix CVE-2025-15061?

Within 24 hours: Inventory all systems running Framelink Figma MCP Server and isolate affected instances from production networks. Within 7 days: Implement network segmentation to restrict access to the service, disable the fetchWithRetry command if possible, and deploy WAF rules to block exploitation attempts. Within 30 days: Identify and evaluate alternative solutions, coordinate with vendor for patch timeline, and conduct threat hunting for signs of compromise.

Is Command Injection affected by CVE-2025-15061?

CVE-2025-15061 is a critical remote code execution vulnerability in Framelink Figma MCP Server that allows unauthenticated attackers to execute arbitrary code with a 9.8 CVSS score. Organizations using this tool face immediate risk of system compromise, data theft, and operational disruption.

CVE-2025-15061

CRITICAL

2026-01-23 [email protected]

GHSA-gxw4-4fc5-9gr5

9.8

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 23, 2026 - 04:16 nvd

CRITICAL 9.8

Description

Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877.

Analysis

Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.

Technical Context

The Framelink Figma MCP Server has a CWE-78 command injection in the fetchWithRetry function that allows remote attackers to inject OS commands through crafted MCP protocol messages.

Affected Products

['Framelink Figma MCP Server']

Remediation

Update the MCP server. Run MCP servers in sandboxed environments.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.4

CVSS: +49

POC: 0

CVE-2025-15061 vulnerability details – vuln.today

Back

CVE-2025-15061

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15061

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code