DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69256: Serverless Command Injection: When 'Experimental' Means 'Remote Shell'

#security #cve #cybersecurity

Serverless Command Injection: When 'Experimental' Means 'Remote Shell'

Vulnerability ID: CVE-2025-69256
CVSS Score: 7.5
Published: 2025-12-31

The Serverless Framework's experimental Model Context Protocol (MCP) server contained a critical command injection vulnerability. By failing to sanitize directory paths passed to a shell command, the tool allowed attackers—or confused LLMs—to execute arbitrary system commands.

TL;DR

A classic OS Command Injection vulnerability in the Serverless Framework's MCP server (@serverless/mcp). The list-projects tool passed unvalidated user input directly into a find command spawned via child_process.exec. This allowed Remote Code Execution (RCE) on the developer's machine. Fixed in version 4.29.3 by switching to execFile and implementing path validation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • CVSS Score: 7.5 (High)
  • Attack Vector: Network / Local (via MCP Interface)
  • Impact: High (Confidentiality, Integrity, Availability)
  • Component: @serverless/mcp
  • Vulnerable Function: findServerlessFrameworkProjects (via child_process.exec)

Affected Systems

  • Serverless Framework CLI (Experimental MCP Server)
  • Serverless Framework (MCP): 4.29.0 - 4.29.2 (Fixed in: 4.29.3)

Code Analysis

Commit: 681ca03

fix(mcp): mitigate command injection in project finder

- const { stdout } = await execAsync(`find "${rootDir}" ...`)
+ const { stdout } = await execFileAsync('find', [rootDir, ...])
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Proof of concept demonstrating directory traversal and command execution.

Mitigation Strategies

  • Input Sanitization: Validate all directory paths against an allowlist or verify existence before usage.
  • Avoid Shells: Use execFile or spawn instead of exec to prevent shell interpreter abuse.
  • Principle of Least Privilege: Ensure development tools run with the minimum necessary permissions.

Remediation Steps:

  1. Upgrade Serverless Framework to version 4.29.3 or later.
  2. If upgrading is not possible, disable the MCP server component.
  3. Audit any usage of serverless mcp for unusual process execution logs.

References

Read the full report for CVE-2025-69256 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)