CVE-2025-8217
5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber
Summary
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.
To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Amazon | Q Developer VS Code Extension | 1.84.0 < 1.85.0 | affected |
| Amazon | Q Developer VS Code Extension | sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464 | affected |
Weaknesses
- CWE-506: CWE-506 Embedded Malicious Code
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-015/
- https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw
- https://github.com/aws/aws-toolkit-vscode/releases/tag/amazonq%2Fv1.85.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.