CVE-2025-69256
📋 TL;DR
A command injection vulnerability in Serverless Framework's experimental MCP server feature allows attackers to execute arbitrary system commands via unsanitized user input in child_process.exec calls. This affects only users who have enabled the experimental MCP server feature (less than 0.1% of users). Successful exploitation leads to remote code execution under the server process's privileges.
💻 Affected Systems
- Serverless Framework with @serverless/mcp package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Serverless Framework MCP server process, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Limited impact due to the experimental nature and low adoption of the MCP server feature, but affected systems could experience unauthorized command execution.
If Mitigated
Minimal impact if MCP server is not enabled or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires access to the MCP server endpoint. The vulnerability is straightforward command injection via shell metacharacters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.29.3
Vendor Advisory: https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6
Restart Required: Yes
Instructions:
1. Update Serverless Framework: npm update -g serverless
2. Verify version: serverless --version
3. Restart any running MCP server processes
🔧 Temporary Workarounds
Disable MCP Server Feature
allDisable the experimental MCP server feature if not required
Stop any running 'serverless mcp' processes
🧯 If You Can't Patch
- Disable the MCP server feature entirely by stopping all 'serverless mcp' processes
- Implement network segmentation to isolate MCP server from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if Serverless Framework version is between 4.29.0 and 4.29.2 and MCP server is enabledCheck Version:
serverless --versionVerify Fix Applied:
Verify Serverless Framework version is 4.29.3 or later: serverless --version📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns from Serverless Framework MCP server
- Shell metacharacters in MCP server input logs
Network Indicators:
- Unexpected outbound connections from Serverless Framework processes
- Command execution patterns in MCP server traffic
SIEM Query:
process.name:"node" AND process.args:"serverless mcp" AND (process.args:*|* OR process.args:*>* OR process.args:*&&*)🔗 References
- https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68
- https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4
- https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3
- https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6
