CVSS Score: 7.5 Published: 2025-12-31 Full Report: https://cvereports.com/reports/CVE-2025-69256
The Serverless Framework's experimental Model Context Protocol (MCP) server contained a critical command injection vulnerability. By failing to sanitize directory paths passed to a shell command, the tool allowed attackers—or confused LLMs—to execute arbitrary system commands.
A classic OS Command Injection vulnerability in the Serverless Framework's MCP server (@serverless/mcp). The list-projects tool passed unvalidated user input directly into a find command spawned via child_process.exec. This allowed Remote Code Execution (RCE) on the developer's machine. Fixed in version 4.29.3 by switching to execFile and implementing path validation.
- CWE ID: CWE-78 (OS Command Injection)
- CVSS Score: 7.5 (High)
- Attack Vector: Network / Local (via MCP Interface)
- Impact: High (Confidentiality, Integrity, Availability)
- Component: @serverless/mcp
- Vulnerable Function: findServerlessFrameworkProjects (via child_process.exec)
- Serverless Framework CLI (Experimental MCP Server)
- Serverless Framework (MCP): 4.29.0 - 4.29.2 (Fixed in:
4.29.3)
- Input Sanitization: Validate all directory paths against an allowlist or verify existence before usage.
- Avoid Shells: Use
execFileorspawninstead ofexecto prevent shell interpreter abuse. - Principle of Least Privilege: Ensure development tools run with the minimum necessary permissions.
Remediation Steps:
- Upgrade Serverless Framework to version 4.29.3 or later.
- If upgrading is not possible, disable the MCP server component.
- Audit any usage of
serverless mcpfor unusual process execution logs.
- GitHub Advisory: Command Injection in @serverless/mcp
- Node.js Documentation: child_process.exec Security Risks
Generated by CVEReports - Automated Vulnerability Intelligence