Serverless applications are widely adopted for their scalability, cost-efficiency, and elastic resource management. However, their event-driven nature introduces complex event chains whose trigger-handler relationships are often determined dynamically by conditional logic, asynchronous callbacks, and resource-state dependencies. Existing security analysis tools, such as CloudFlow, mainly rely on static analysis, making it difficult to capture these dynamic event-chain interactions and the semantics of coarse-grained cloud APIs. As a result, they often fail to bridge the gap between architectural reachability and semantic feasibility, leading to both false positives and false negatives.

To address this limitation, we propose SymFlow, an event-chain-aware symbolic execution framework for sensitive data flow detection in serverless applications. SymFlow combines static architectural analysis with symbolic reasoning to identify feasible event chains and validate their concrete code semantics across service boundaries. By constraining exploration with architectural event dependencies while semantically analyzing inter-function and inter-service behaviors along each event chain, SymFlow can more precisely recover real sensitive data flows and substantially reduce spurious results from purely static reasoning. Evaluated on CloudBench and 104 real-world AWSomePy applications, SymFlow reports 36.6% more sensitive data flows than CloudFlow, improves detection precision by 14.4% and increases event-chain coverage by 73.6%. It also discovered two previously unknown zero-day vulnerabilities in real-world applications.