CVE-2025-8217

4.0 MEDIUM

Published: July 30, 2025 Modified: October 14, 2025

Description

The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://aws.amazon.com/security/security-bulletins/AWS-2025-015/

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

https://github.com/aws/aws-toolkit-vscode/releases/tag/amazonq%2Fv1.85.0

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

4.0 / 10.0

EPSS (Exploit Probability)

0.0%

0th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-506

Related CVEs

CVE-2026-21652 N/A

CVE-2026-21651 N/A

CVE-2026-21650 N/A

CVE-2026-21649 N/A

CVE-2026-21648 N/A