CVE-2025-69256
Command Injection in Serverless Framework MCP Server Enables RCE
Publication date: 2025-12-30
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| serverless | serverless | From 4.29.0 (inc) to 4.29.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69256 is a command injection vulnerability in the Serverless Framework's experimental MCP server package (@serverless/mcp) affecting versions from 4.29.0 up to but not including 4.29.3. It occurs because the MCP server uses unsanitized user input parameters directly in shell commands executed via child_process.exec, allowing attackers to inject arbitrary system commands. This vulnerability only affects users of the experimental MCP server feature, which is less than 0.1% of Serverless Framework users. Successful exploitation can lead to remote code execution with the privileges of the server process. The issue was fixed in version 4.29.3 by replacing exec with execFile and adding input validation. [4, 1]
How can this vulnerability impact me? :
If you use the experimental MCP server feature of the Serverless Framework and your server is exposed to untrusted users, this vulnerability can allow remote attackers to execute arbitrary system commands on your server with the privileges of the server process. This can lead to full remote compromise of the server, including unauthorized access, data manipulation, or disruption of services. However, the core Serverless Framework CLI and deployment functions are not affected, and only a very small subset of users (less than 0.1%) who use the MCP server feature are impacted. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Serverless Framework MCP server is running a vulnerable version (between 4.29.0 and before 4.29.3) and if the experimental MCP server feature is enabled. Since the vulnerability involves command injection via unsanitized input to shell commands, you can look for suspicious files created by injected commands (e.g., files like /tmp/TEST created by a PoC). However, no specific detection commands are provided in the resources. Monitoring for unexpected files or processes spawned by the MCP server could help. Additionally, reviewing the version of Serverless Framework MCP server and ensuring it is updated to 4.29.3 or later is a practical detection step. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Serverless Framework MCP server package to version 4.29.3 or later, where the vulnerability is fixed by replacing unsafe use of child_process.exec with child_process.execFile and validating input parameters. Avoid using the experimental MCP server feature if possible until patched. Also, do not pass untrusted input to shell commands. Applying the patch from version 4.29.3 ensures that input parameters are properly validated and shell command injection is prevented. [1, 3, 4]