CNNVD-202512-5083 Information

CNNVD ID

CNNVD-202512-5083

Related CVE

CVE-2025-69256

• CNNVD Published: 2025-12-30

Description (Chinese)

Serverless Framework是Serverless开源的一个云服务托管工具。 Serverless Framework 4.29.0版本至4.29.3之前版本存在命令注入漏洞，该漏洞源于对child_process.exec的输入参数清理不当，可能导致远程代码执行。

Description (English)

Servers Framework is an open-source cloud service hosting tool for Servers. There was a command-infusion gap in the prior versions of Servers 4.29.0 to 4.2.9.3, which stemmed from the inappropriate clean-up of input parameters of Child process.exec, which could lead to remote code execution.

Hazard Level

Medium

Vulnerability Type

命令注入

Affected Vendor

Serverless

Published

2025-12-30

Last Modified

2026-02-24

References

https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68 https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4 https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3 https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6

Patch

https://github.com/serverless/serverless/releases