Never disclose security vulnerabilities publicly in Issues until it's fixed and most of users have upgraded to the patched version.
Reach out to security@serverlessly.dev. We'll work together on patching the vulnerability and follow some form of Responsible Disclosure once fixed.