EUVD-2025-205851

serverless MCP Server vulnerable to Command Injection in list-projects tool...

GHSA-RWC2-F344-Q6W6 serverless MCP Server vulnerable to Command Injection in list-projects tool

Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This vulnerability only affects users of the experimental MCP server feature serverless mcp, which represents less than 0.1% of Serverless Framework users. The core Serverle...

serverless MCP Server vulnerable to Command Injection in list-projects tool

Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This vulnerability only affects users of the experimental MCP server feature serverless mcp, which represents less than 0.1% of Serverless Framework users. The core Serverle...

CVE-2025-69256

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-69256

CVE-2025-69256 : The Serverless Framework MCP Server vulnerability enables command injection via unsanitized user input in the list-projects tool. The issue arises when building shell commands with workspaceRoots (user-controlled) and calling child_process.exec without proper sanitization, allowi...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

CVE-2025-69256 serverless MCP Server vulnerable to command injection in list-projects tool

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

PT-2025-54216

Name of the Vulnerable Software and Affected Versions Serverless Framework versions 4.29.0 through 4.29.2 Description The Serverless Framework includes a command injection issue within the built-in MCP server package @serverless/mcp. This affects users utilizing the experimental MCP server featur...

Serverless Framework 命令注入漏洞

Serverless Framework is a cloud service hosting tool from Serverless open source. A command injection vulnerability exists in Serverless Framework versions 4.29.0 through prior to 4.29.3, which stems from improper cleanup of input parameters to childprocess.exec, which could lead to remote code...

CVE-2025-67718

Form.io exposes a path-handling vulnerability that can let unauthenticated/unauthorized requests access protected API endpoints by sending crafted request paths. Affected versions: 3.5.6 and earlier, and 4.0.0-rc.1 through 4.4.2. Impact is data exposure from endpoints that should be protected. Fi...

EUVD-2025-200178

Malicious code in @wxi-dev/serverless-tsc-config npm...

MAL-2025-191536 Malicious code in @wxi-dev/serverless-tsc-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2044be2f48924b1fbab5515839d24440bd12b3d7df98de95a6b0881665ab3f94 The package @wxi-dev/serverless-tsc-config was found to contain malicious code. Source: ghsa-malware...

com.amazonaws.serverless:aws-serverless-java-container-struts (>=1.9 <=1.9.4), com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (>=4.0.2 <=5.0.6) +77 more potentially affected by CVE-2025-64775 via org.apache.struts:struts2-core (>=6.0.0 <=6.7.4)

org.apache.struts:struts2-core MAVEN version =6.0.0, =1.9, =4.0.2, =4.0.2, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =1.4.0, =1.4.1, =1.4.0, =1.4.3 and more Source cves: CVE-2025-64775 Source advisory: SNYK:JAVA-ORG...

com.amazonaws.serverless:aws-serverless-java-container-struts2 (>=1.2 <=1.8.2), com.github.a-pz:struts2-thymeleaf3-plugin (>=1.0.3-RELEASE <=1.2.0-RELEASE) +164 more potentially affected by CVE-2025-64775 via org.apache.struts:struts2-core (>=2.5.1 <=2.5.33)

org.apache.struts:struts2-core MAVEN version =2.5.1, =1.2, =1.0.3-RELEASE, =1.1.9, =0.0.1, =6.0.0, =2.5.1, =2.5.1, =4.0.1 - com.jgeppert.struts2.jquery:struts2-jquery-chart-plugin =4.0.3 - com.jgeppert.struts2.jquery:struts2-jquery-datatables-plugin =4.0.3 -...

MAL-2025-191373 Malicious code in @voiceflow/serverless-plugin-typescript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7250284d7c2e88d5fb38f55fabf16f35b8da97c4e888154f7f275f2bef975251 The package @voiceflow/serverless-plugin-typescript was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-199389

Malicious code in @voiceflow/serverless-plugin-typescript npm...

GraphFaaS: Serverless GNN Inference for Burst-Resilient, Real-Time Intrusion Detection

Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity, where system activities are modeled as provenance graphs to capture causality and correlations among potentially malicious actions. Graph Neural Networks GNNs have...

Malicious code in fusion-geckodriver-server-less-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 958176f41f08e2a4e088ec62423745c59475d2e9e76c5efe48941dde7761aa9f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Advanced Serverless Security: Zero Trust Implementation with AI-Powered Threat Detection

Serverless architectures have fundamentally altered the cybersecurity landscape, creating attack vectors that traditional security models cannot address. After…...