CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-69256
7.50.04%

Serverless Command Injection: When 'Experimental' Means 'Remote Shell'

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·4 min read·13 visits

PoC Available

Executive Summary (TL;DR)

A classic OS Command Injection vulnerability in the Serverless Framework's MCP server (`@serverless/mcp`). The `list-projects` tool passed unvalidated user input directly into a `find` command spawned via `child_process.exec`. This allowed Remote Code Execution (RCE) on the developer's machine. Fixed in version 4.29.3 by switching to `execFile` and implementing path validation.

The Serverless Framework's experimental Model Context Protocol (MCP) server contained a critical command injection vulnerability. By failing to sanitize directory paths passed to a shell command, the tool allowed attackers—or confused LLMs—to execute arbitrary system commands.

Official Patches

ServerlessRelease notes for version 4.29.3 containing the fix.

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.04%
Top 99% most exploited

Affected Systems

Serverless Framework CLI (Experimental MCP Server)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Serverless Framework (MCP)
Serverless, Inc.
4.29.0 - 4.29.24.29.3
AttributeDetail
CWE IDCWE-78 (OS Command Injection)
CVSS Score7.5 (High)
Attack VectorNetwork / Local (via MCP Interface)
ImpactHigh (Confidentiality, Integrity, Availability)
Component@serverless/mcp
Vulnerable FunctionfindServerlessFrameworkProjects (via child_process.exec)

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1204User Execution
Execution
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Known Exploits & Detection

GitHub AdvisoryProof of concept demonstrating directory traversal and command execution.

Vulnerability Timeline

Vulnerability identified and patch committed (681ca03)
2025-02-17
Serverless Framework v4.29.3 released
2025-02-19
Advisory GHSA-rwc2-f344-q6w6 published
2025-02-20

References & Sources

  • [1]GitHub Advisory: Command Injection in @serverless/mcp
  • [2]Node.js Documentation: child_process.exec Security Risks

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.