Vulnerable Code Injection in Amazon Q Developer Extension for Visual Studio Code
CVE-2025-8217

5.1MEDIUM

Key Information:

Vendor: Amazon
Status: Q Developer Vs Code Extension
Vendor: CVE Published:; 30 July 2025

What is CVE-2025-8217?

The Amazon Q Developer extension for Visual Studio Code, specifically version v1.84.0, suffers from a code injection issue. This vulnerability involves inert, injected code intended to invoke the Q Developer CLI upon launching the extension. However, due to a syntax error, successful API communication with the Q Developer CLI is impeded. Users are strongly advised to upgrade to version v1.85.0 and eliminate any use of v1.84.0 installations to ensure the security of their development environment.

Affected Version(s)

Q Developer VS Code Extension 1.84.0 < 1.85.0

Q Developer VS Code Extension sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464

References

https://aws.amazon.com/security/security-bulletins/AWS-20...

vendor-advisory

https://github.com/aws/aws-toolkit-vscode/security/adviso...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 30, 2025
Vulnerability Reserved
Jul 25, 2025