By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
Deny all
Accept all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Winner: Black Hat Europe 2025 Startup Spotlight Competition

Technical Advisory: Serverless Framework MCP Server Command Injection

Disclosed: December 30, 2025
Severity: High
Package/Component: serverless (npm)
Advisories: GHSA-rwc2-f344-q6w6CVE-2025-69256

Executive Summary

What Happened:

A command injection vulnerability was discovered in the Serverless Framework's experimental MCP server feature. The vulnerability allows attackers to execute arbitrary system commands through unsanitized input parameters.

Why It Matters:

  • Supply Chain Risk: The Serverless Framework is widely used for deploying cloud infrastructure. Compromised development environments could lead to poisoned deployments reaching production.
  • Development Environment Exposure: Developers using AI coding assistants with MCP integrations may unknowingly expose their workstations to remote code execution.
  • Lateral Movement Potential: Successful exploitation provides an entry point for attackers to pivot into broader infrastructure, particularly in environments where development machines have access to production credentials.
  • Agentic AI Attack Surface: MCP servers are increasingly integrated into AI agent toolchains. Vulnerabilities in these components represent a new class of attack vectors against autonomous AI systems.

High-Level Risks:

  • Remote code execution on developer workstations or servers running the MCP server
  • Credential theft from compromised development environments
  • Supply chain compromise through poisoned infrastructure deployments
  • Lateral movement into connected cloud infrastructure

Immediate Actions:

  1. Upgrade to Serverless Framework version 4.29.3 or later
  2. Review logs for suspicious workspaceRoots parameter values or unexpected process execution
  3. Disable the experimental MCP server feature if not required (serverless mcp)
  4. Rotate credentials accessible from any potentially affected systems

Overview

Serverless Framework MCP server versions prior to 4.29.0 contain a command injection vulnerability allowing remote code execution through unsanitized workspaceRoots parameters in the list-projects tool. The vulnerability stems from unsafe use of child_process.exec without proper input validation, allowing shell metacharacter injection.

Risk Analysis

This threat is particularly concerning in the context of agentic AI systems due to:

  1. MCP Integration Prevalence: MCP servers are designed to give AI agents access to external tools and data. The Serverless Framework MCP server is part of a growing ecosystem of tool integrations that expand the attack surface of AI-powered development workflows.
  2. Autonomous Tool Invocation: AI agents dynamically decide which tools to invoke based on user prompts. A malicious prompt could instruct an agent to pass crafted input to the vulnerable list-projects tool without user awareness.
  3. Supply Chain Position: The Serverless Framework sits at the nexus of development and deployment. Compromise at this layer can cascade into production infrastructure.

Technical Details

  1. Vulnerable Code Path:
    • The list-projects tool accepts a workspaceRoots array parameter
    • Values are passed directly to child_process.exec via shell command strings
    • No sanitization of shell metacharacters (|, >, &&, $(), etc.)
  2. Exploitation Mechanism:
    • Attacker crafts malicious workspaceRoots value: ["$(id>/tmp/pwned)"]
    • Command is interpolated into: find "$(id>/tmp/pwned)" -name "serverless.yml" ...
    • Shell executes injected command with server process privileges

Impact

Systems affected by this vulnerability may experience:

  • Arbitrary command execution under the server process's privileges
  • Exfiltration of environment variables, credentials, and secrets
  • Installation of persistent backdoors or malware
  • Compromise of connected cloud provider accounts via exposed credentials
  • Poisoned deployments if the attacker modifies Serverless configuration files

Affected Versions

The following versions are known to be affected:

  • Serverless Framework < 4.29.0 (with experimental MCP server feature enabled)

Patched in: >= 4.29.3

Immediate Mitigation Steps

  1. Upgrade immediately:
    npm install -g serverless@latest
    # Verify version
    serverless --version
    # Should show >= 4.29.3
  2. Disable if not required:
    • If the experimental MCP server feature (serverless mcp) is not actively used, do not start it
    • Review which development environments have this feature enabled
  3. Incident response (if potentially compromised):
    • Review process execution logs for unusual commands
    • Search for files created in /tmp or other world-writable directories
    • Rotate all credentials accessible from the affected system
    • Review recent Serverless deployments for unauthorized changes

Long-term Recommendations

  1. MCP Server Security Posture:
    • Audit all MCP servers in your agentic AI infrastructure for similar input validation issues
    • Restrict network exposure of MCP servers—prefer local-only transports over SSE/HTTP when possible
    • Implement allow-lists for tool parameters where feasible
  2. Development Environment Hardening:
    • Isolate AI coding assistants in sandboxed environments
    • Avoid running AI agents with access to production credentials
    • Enable logging and monitoring for all MCP tool invocations
  3. Supply Chain Controls:
    • Pin dependency versions and verify integrity before upgrades
    • Monitor security advisories for MCP-enabled tools in your stack
    • Conduct periodic security reviews of AI agent tool integrations

Framework Context

This incident aligns with multiple security frameworks:

  • OWASP ASI T11 Unexpected RCE: Agentic systems with tool access can be exploited to achieve remote code execution through vulnerabilities in integrated components, bypassing traditional security controls.
  • OWASP ASI T2 Tool Misuse: Attackers exploit the dynamic integration and enhanced autonomy of agentic AI systems to misuse authorized tools through chaining, privilege escalation, or execution of unintended actions.
  • OWASP LLM03:2025 Supply Chain: LLM supply chains are susceptible to vulnerabilities affecting deployment platforms and third-party components.
  • CWE-77 Command Injection: The product constructs commands using externally-influenced input without neutralizing special elements that could modify the intended command.

Updates

We will update this analysis as more information becomes available. Please monitor our security channels for the latest updates.

More Articles

The CISOs Guide to Agentic Security & Governance (Part 1: Executive Edition)
Hanah-Marie Darley
Hanah-Marie Darley
Co-founder & CAIO

The CISOs Guide to Agentic Security & Governance (Part 1: Executive Edition)

An executive-level introduction to agentic security and governance, designed to help CISOs understand emerging AI agent risks and prepare for adoption.

Read more
Understanding Recent n8n Vulnerabilities: Exposure, Risk, and Remediation
Giuseppe Trovato
Giuseppe Trovato
Head of Research

Understanding Recent n8n Vulnerabilities: Exposure, Risk, and Remediation

A practical breakdown of recent n8n vulnerabilities, explaining exposure, risk, and how to choose the right remediation path.

Read more
Technical Advisory: n8n Remote Code Execution via Arbitrary File Write
Giuseppe Trovato
Giuseppe Trovato
Head of Research

Technical Advisory: n8n Remote Code Execution via Arbitrary File Write

Critical vulnerability in n8n workflow automation allows authenticated attackers to achieve remote code execution through Git node exploitation

Read more
Footer graphic with abstract geometric patterns and gradients

Identify your AI Agents and their Risks, Instantly.

Book a Demo