{"uuid": "6cb1691a-f76d-4ef5-8f59-86f6ed370041", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-69256", "type": "seen", "source": "https://t.me/htfgtps/1226", "content": "CVE-2025-69256\nThe Serverless Framework is a framework\nfor using AWS Lambda and other managed\ncloud services to build applications.\nStarting in version 4.29.0 and prior to\nversion 4.29.3, a command injection\nvulnerability exists in the Serverless\nFramework's built-in MCP server package\n(@serverless/mcp). This vulnerability only\naffects users of the experimental MCP\nserver feature (serverless mcp), which\nrepresents less than 0.1% of Serverless\nFramework users. The core Serverless\nFramework CLI and deployment\nfunctionality are not affected. The\nvulnerability is caused by the unsanitized\nuse of input parameters within a call to\nchild_process.exec, enabling an attacker to\ninject arbitrary system commands.\nSuccessful exploitation can lead to remote\ncode execution under the server process's\nprivileges. The server constructs and\nexecutes shell commands using\nunvalidated user input...\n2 \u2022 20:09", "creation_timestamp": "2026-05-22T13:10:03.000000Z"}