Vulnerable Code Injection in Amazon Q Developer Extension for Visual Studio Code
CVE-2025-8217

5.1MEDIUM

Key Information:

Vendor

Amazon

Status
Q Developer Vs Code Extension
Vendor
CVE Published:
30 July 2025

What is CVE-2025-8217?

The Amazon Q Developer extension for Visual Studio Code, specifically version v1.84.0, suffers from a code injection issue. This vulnerability involves inert, injected code intended to invoke the Q Developer CLI upon launching the extension. However, due to a syntax error, successful API communication with the Q Developer CLI is impeded. Users are strongly advised to upgrade to version v1.85.0 and eliminate any use of v1.84.0 installations to ensure the security of their development environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Q Developer VS Code Extension 1.84.0 < 1.85.0

Q Developer VS Code Extension sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464

References

https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/aws/aws-toolkit-vscode/security/adviso...
third-party-advisory
https://github.com/aws/aws-toolkit-vscode/releases/tag/am...
patch

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.