Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-56803

Description

Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin's manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.

POC

Reference

- https://github.com/shinyColumn/CVE-2025-56803

- https://shinycolumn.notion.site/figma-command-injection

Github

- https://github.com/PuddinCat/GithubRepoSpider

- https://github.com/fkie-cad/nvd-json-data-feeds

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/shinyColumn/CVE-2025-56803