What is the CVSS score of CVE-2025-69256?

CVE-2025-69256 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Serverless are affected by CVE-2025-69256?

Serverless Framework versions 4.29.0 through 4.29.2 contain a command injection vulnerability in the experimental MCP server feature that enables remote code execution under server process…. A patch is available.

Is there a public PoC exploit available for CVE-2025-69256?

Yes, a public proof-of-concept exploit is available for CVE-2025-69256. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-69256?

Within 24 hours: Identify whether your organization uses Serverless Framework and confirm if the experimental MCP server (@serverless/mcp) feature is enabled in production or development environments. Within 7 days: For affected deployments, upgrade Serverless Framework to version 4.29.3 or later, and disable the experimental MCP server feature until patched. Within 30 days: Complete patching validation across all Serverless Framework installations and document MCP feature usage in your infrastructure inventory.

Serverless CVE-2025-69256

HIGH

Command Injection (CWE-77)

2025-12-30 security-advisories@github.com

Command Injection RCE Serverless

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 23, 2026 - 14:52 vuln.today

Patch released

Mar 23, 2026 - 14:52 nvd

Patch available

PoC Detected

Mar 23, 2026 - 14:42 vuln.today

Public exploit code

CVE Published

Dec 30, 2025 - 19:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). Version 4.29.3 fixes the issue.

AnalysisAI

Command injection in Serverless Framework versions 4.29.0 through 4.29.2 allows remote code execution through the experimental MCP server feature (@serverless/mcp package). Attackers can inject arbitrary shell commands via unsanitized input parameters passed to child_process.exec, achieving RCE under server process privileges. Publicly available exploit code exists (GHSA-rwc2-f344-q6w6). Impact is limited to less than 0.1% of users utilizing the experimental serverless mcp feature. EPSS probability is low at 0.05% (16th percentile).

Technical ContextAI

The vulnerability affects the Serverless Framework's @serverless/mcp package (cpe:2.3:a:serverless:serverless:*:*:*:*:*:*:*:*), specifically versions 4.29.0 through 4.29.2. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), manifesting in the list-projects.js module at line 68 where user-controlled input is directly interpolated into shell commands executed via Node.js child_process.exec without sanitization. This design pattern enables shell metacharacter injection using operators such as pipe (|), redirection (>), command chaining (&&, ;), and backtick substitution. The MCP (Model Context Protocol) server feature is experimental and represents a development-focused interface for serverless project management, not the core deployment functionality. The vulnerable code path constructs OS commands as strings rather than using parameterized array-based execution, creating the classic conditions for command injection.

RemediationAI

Upgrade Serverless Framework to version 4.29.3 or later, which contains the complete fix for command injection in the @serverless/mcp package (vendor-released patch: 4.29.3). The remediation commit is documented at https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4 and the patched release is available at https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3. Organizations unable to immediately upgrade should disable the experimental MCP server feature entirely by avoiding serverless mcp commands and removing any automation or integrations that invoke the @serverless/mcp package. Network-level controls such as restricting which users and systems can access MCP server endpoints can provide defense-in-depth but do not eliminate the vulnerability. Review application logs for unusual command patterns or unexpected child process executions that may indicate exploitation attempts. Consult the full vendor advisory at https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6 for additional context.

CVE-2025-69256 vulnerability details – vuln.today

Back

Serverless CVE-2025-69256

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code