cvedb.io
CVE-2025-69256
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-12-30T19:15:45.180 · Last modified 2026-06-17T10:00:23.007

Summary

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The s

Affected products

serverless — serverless

Does this affect you?

Add your gear to cvedb and we'll alert you only when serverless ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.