Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 08 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Figma
Figma desktop
CPEs cpe:2.3:a:figma:desktop:125.6.5:*:*:*:*:windows:*:*
Vendors & Products Figma
Figma desktop

Mon, 08 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.

Thu, 04 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Vendors & Products Microsoft
Microsoft windows

Wed, 03 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 03 Sep 2025 17:30:00 +0000

Type Values Removed Values Added
Description Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-09-08T18:25:25.655Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-56803

cve-icon Vulnrichment

Updated: 2025-09-03T18:42:29.860Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-03T18:15:35.590

Modified: 2025-09-26T14:02:46.583

Link: CVE-2025-56803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-04T13:12:23Z