CVE-2025-8217
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-30

Last updated on: 2025-10-14

Assigner: AMZN

Description
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-30
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-07-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8217
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
amazon q_developer_extension 1.85.0
amazon q_developer_extension 1.84.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Amazon Q Developer Visual Studio Code extension version 1.84.0, which contained malicious code injected through an inappropriately scoped GitHub token in the extension's build configuration. This allowed a threat actor to commit malicious code into the extension's repository, which was then included in the 1.84.0 release. However, the malicious code contained a syntax error that prevented it from executing successfully. [1, 2]


How can this vulnerability impact me? :

If you are using version 1.84.0 of the Amazon Q Developer VS Code extension, the malicious code present could potentially have been used to perform unauthorized actions. However, due to a syntax error in the injected code, no unauthorized changes to AWS services or customer environments occurred. Despite this, the presence of malicious code poses a security risk, so users are strongly advised to uninstall version 1.84.0 and upgrade to version 1.85.0 to mitigate any potential impact. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if the Amazon Q Developer Visual Studio Code extension version 1.84.0 is installed on your system. Since the malicious code is embedded in this specific version, checking the installed extension version is key. You can use VS Code commands or check the extensions directory to verify the version. For example, in VS Code, run the command `code --list-extensions --show-versions` and look for the Amazon Q Developer extension version 1.84.0. Alternatively, check the extensions folder for the version number. There are no specific network detection commands provided. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediately uninstall all installations of Amazon Q Developer Visual Studio Code extension version 1.84.0. Then upgrade to version 1.85.0, which contains the patched code with the malicious code removed. AWS has also removed version 1.84.0 from all distribution channels to prevent further installations. Ensure that any forked or derivative copies of version 1.84.0 are also removed and updated. [1, 2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart