CVE-2025-4318
9.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Amazon | Amplify Studio | 0.1.0 < 2.20.3 | affected |
Weaknesses
- CWE-95: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
CVE Program Container
Additional References
- https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/
- https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8
- https://github.com/aws-amplify/amplify-codegen-ui/commit/ca98c38b7c3d69ae7c94d2f62b51e32e8165dae6
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-010/
- https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3
- https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.