The Hidden Dangers of Public Serverless Repositories: An Empirical Security Assessment

TL;DR

This paper provides a comprehensive security assessment of public serverless repositories, revealing systemic vulnerabilities and offering practical mitigation strategies to enhance security for developers and organizations.

Contribution

It is the first detailed analysis of security risks in public serverless repositories, identifying key vulnerabilities and proposing mitigation recommendations.

Findings

Identified systemic vulnerabilities like outdated packages and misconfigurations.

Discovered susceptibility to typo-squatting and malicious embedding.

Analyzed over 2,700 serverless components and 125,936 IaC templates.

Abstract

Serverless computing has rapidly emerged as a prominent cloud paradigm, enabling developers to focus solely on application logic without the burden of managing servers or underlying infrastructure. Public serverless repositories have become key to accelerating the development of serverless applications. However, their growing popularity makes them attractive targets for adversaries. Despite this, the security posture of these repositories remains largely unexplored, exposing developers and organizations to potential risks. In this paper, we present the first comprehensive analysis of the security landscape of serverless components hosted in public repositories. We analyse 2,758 serverless components from five widely used public repositories popular among developers and enterprises, and 125,936 Infrastructure as Code (IaC) templates across three widely used IaC frameworks. Our analysis reveals systemic vulnerabilities including outdated software packages, misuse of sensitive parameters, exploitable deployment configurations, susceptibility to typo-squatting attacks and opportunities to embed malicious behaviour within compressed serverless components. Finally, we provide practical recommendations to mitigate these threats.