CVE-2025-8217

Summary

The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.

To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.

Affected Software

VendorProductVersion RangeStatus
AmazonQ Developer VS Code Extension1.84.0 < 1.85.0affected
AmazonQ Developer VS Code Extensionsha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464affected

Weaknesses

  • CWE-506: CWE-506 Embedded Malicious Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References