CVE-2025-69256

HIGH
2025-12-30 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 23, 2026 - 14:52 vuln.today
Patch Released
Mar 23, 2026 - 14:52 nvd
Patch available
PoC Detected
Mar 23, 2026 - 14:42 vuln.today
Public exploit code
CVE Published
Dec 30, 2025 - 19:15 nvd
HIGH 7.5

Tags

Command Injection RCE Serverless

Description

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue.

Analysis

Command injection in Serverless Framework versions 4.29.0 through 4.29.2 allows remote code execution through the experimental MCP server feature (@serverless/mcp package). Attackers can inject arbitrary shell commands via unsanitized input parameters passed to child_process.exec, achieving RCE under server process privileges. Publicly available exploit code exists (GHSA-rwc2-f344-q6w6). Impact is limited to less than 0.1% of users utilizing the experimental serverless mcp feature. EPSS probability is low at 0.05% (16th percentile).

Technical Context

The vulnerability affects the Serverless Framework's @serverless/mcp package (cpe:2.3:a:serverless:serverless:*:*:*:*:*:*:*:*), specifically versions 4.29.0 through 4.29.2. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), manifesting in the list-projects.js module at line 68 where user-controlled input is directly interpolated into shell commands executed via Node.js child_process.exec without sanitization. This design pattern enables shell metacharacter injection using operators such as pipe (|), redirection (>), command chaining (&&, ;), and backtick substitution. The MCP (Model Context Protocol) server feature is experimental and represents a development-focused interface for serverless project management, not the core deployment functionality. The vulnerable code path constructs OS commands as strings rather than using parameterized array-based execution, creating the classic conditions for command injection.

Affected Products

Serverless Framework versions 4.29.0, 4.29.1, and 4.29.2 are affected, specifically installations utilizing the experimental @serverless/mcp package feature. The vulnerability has been confirmed via CPE identifier cpe:2.3:a:serverless:serverless:*:*:*:*:*:*:*:*. The core Serverless Framework CLI and standard deployment functionality remain unaffected. Users can determine their exposure by checking if they have invoked the serverless mcp command or integrated the MCP server into their workflows. The vendor security advisory is available at https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6 with technical details and vulnerable code examples at https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68.

Remediation

Upgrade Serverless Framework to version 4.29.3 or later, which contains the complete fix for command injection in the @serverless/mcp package (vendor-released patch: 4.29.3). The remediation commit is documented at https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4 and the patched release is available at https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3. Organizations unable to immediately upgrade should disable the experimental MCP server feature entirely by avoiding serverless mcp commands and removing any automation or integrations that invoke the @serverless/mcp package. Network-level controls such as restricting which users and systems can access MCP server endpoints can provide defense-in-depth but do not eliminate the vulnerability. Review application logs for unusual command patterns or unexpected child process executions that may indicate exploitation attempts. Consult the full vendor advisory at https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6 for additional context.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: +20

Share

CVE-2025-69256 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy