Figma Desktop Command Injection Vulnerability Allowing Arbitrary OS Command Execution

A command injection vulnerability has been identified in Figma Desktop for Windows, version 125.6.5. This vulnerability resides in the local plugin loader, where an attacker can execute arbitrary operating system commands by crafting a specific build field in the plugin's manifest.json file. The application processes this field using child_process.exec without any validation, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution, with the possibility of remote code execution, as indicated by the proof of concept available on the vulnerability's GitHub repository.

Reproduction

To reproduce this vulnerability, create a malicious Figma plugin that includes a manifest.json file with a crafted build field. This field should contain the command to be executed. Once the plugin is loaded in Figma, the specified command will be executed immediately, without any security prompts or warnings.

Remediation

Users are advised to avoid relying on user-controlled fields in the plugin manifest, such as the build field, without proper validation. If such fields are necessary, they should be validated to prevent command injection. Additionally, Figma should consider using safer alternatives to Node.js's child_process.exec() for executing commands.