CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-69256

Serverless Command Injection: When 'Experimental' Means 'Remote Shell'

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·4 min read·50 visits

Executive Summary (TL;DR)

A classic OS Command Injection vulnerability in the Serverless Framework's MCP server (`@serverless/mcp`). The `list-projects` tool passed unvalidated user input directly into a `find` command spawned via `child_process.exec`. This allowed Remote Code Execution (RCE) on the developer's machine. Fixed in version 4.29.3 by switching to `execFile` and implementing path validation.

The Serverless Framework's experimental Model Context Protocol (MCP) server contained a critical command injection vulnerability. By failing to sanitize directory paths passed to a shell command, the tool allowed attackers—or confused LLMs—to execute arbitrary system commands.

Official Patches

ServerlessRelease notes for version 4.29.3 containing the fix.

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.04%
Top 99% most exploited

Affected Systems

Serverless Framework CLI (Experimental MCP Server)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Serverless Framework (MCP)
Serverless, Inc.
4.29.0 - 4.29.24.29.3
AttributeDetail
CWE IDCWE-78 (OS Command Injection)
CVSS Score7.5 (High)
Attack VectorNetwork / Local (via MCP Interface)
ImpactHigh (Confidentiality, Integrity, Availability)
Component@serverless/mcp
Vulnerable FunctionfindServerlessFrameworkProjects (via child_process.exec)

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1204User Execution
Execution
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Known Exploits & Detection

GitHub AdvisoryProof of concept demonstrating directory traversal and command execution.

Vulnerability Timeline

Vulnerability identified and patch committed (681ca03)
2025-02-17
Serverless Framework v4.29.3 released
2025-02-19
Advisory GHSA-rwc2-f344-q6w6 published
2025-02-20

References & Sources

  • [1]GitHub Advisory: Command Injection in @serverless/mcp
  • [2]Node.js Documentation: child_process.exec Security Risks

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•CVE-2026-39922
6.3

CVE-2026-39922: Server-Side Request Forgery in GeoNode Service Registration Endpoint

GeoNode versions prior to 4.4.5 and 5.0.2 are vulnerable to Server-Side Request Forgery (SSRF) in the service registration endpoint. Authenticated attackers with low privileges can exploit insufficient input validation in the Web Map Service (WMS) registration module to force the application server to make outbound network queries to loopback addresses, private RFC1918 subnets, link-local scopes, and cloud metadata endpoints. This technical report details the mechanics of the vulnerability, the underlying architectural flaw, and how to effectively remediate and mitigate the associated security risks.

Alon Barad
Alon Barad
4 views•7 min read
•about 21 hours ago•CVE-2022-0492
7.8

CVE-2022-0492: Privilege Escalation and Container Escape via cgroups v1 release_agent

CVE-2022-0492 is a high-severity missing authorization vulnerability in the Linux kernel's Control Groups (cgroups) v1 implementation. The flaw resides within the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c, where the kernel fails to validate if the process writing to the release_agent file possesses administrative capabilities in the initial user namespace. This allows a local attacker inside a container with root privileges (UID 0) to abuse user namespaces, mount a cgroups v1 directory, modify the release_agent parameter, and execute arbitrary commands on the host system as host root, effectively achieving a complete container escape.

Amit Schendel
Amit Schendel
8 views•7 min read
•3 days ago•GHSA-G72G-R7M4-9X4G
6.3

GHSA-G72G-R7M4-9X4G: Insufficient Session Expiration of OAuth Tokens in NocoDB

NocoDB is subject to an insufficient session expiration vulnerability where OAuth access and refresh tokens are not invalidated or revoked during security-sensitive actions such as password changes, forgot-password requests, or password resets. This allows an attacker possessing an active OAuth token to maintain unauthorized persistence.

Amit Schendel
Amit Schendel
12 views•6 min read
•3 days ago•GHSA-FGMC-2HQJ-86V4
6.9

GHSA-FGMC-2HQJ-86V4: Default Administrative Credentials in vantage6-server

A vulnerability in the vantage6 federated learning framework allows unauthenticated remote attackers to gain administrative control of the server via hardcoded default credentials (root/root) when deployed under default configurations in versions 4.2.3 and below.

Amit Schendel
Amit Schendel
8 views•5 min read
•3 days ago•GHSA-X9F6-9RVM-MMRG
6.9

GHSA-X9F6-9RVM-MMRG: Improper Access Control and Volume Mount Isolation Bypass in vantage6 Node

An improper access control vulnerability in the vantage6 node component allows concurrently running algorithm containers to read and modify sensitive input and output files of other tasks. The lack of strict workspace directory isolation exposes a significant attack surface in multi-tenant or federated environments where untrusted algorithms are executed.

Amit Schendel
Amit Schendel
3 views•4 min read
•3 days ago•CVE-2026-47760
8.7

CVE-2026-47760: Cross-Site Scripting (XSS) via SVG Namespace Sanitizer Bypass in TinyMCE

TinyMCE versions 6.8.0 through 7.0.1 contain a high-severity Cross-Site Scripting (XSS) vulnerability. The flaw exists in the custom HTML parser and sanitizer module, which incorrectly manages SVG namespace scopes when parsing nested elements. A low-privileged or unauthenticated attacker can submit a crafted HTML payload containing nested SVG structures to bypass sanitization filters, leading to arbitrary JavaScript execution in the context of the victim's browser session.

Alon Barad
Alon Barad
30 views•7 min read