CVE-2025-4318

Input validation issue in AWS Amplify Studio UI component properties

CVSS 9.5 CRITICALEPSS 1.0%CWE-95

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

Amazon · Amplify Studio

public PoCs found — 1

cve_referenceblog.securelayer7.net/cve-2025-4318-aws-amplify-rce/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://aws.amazon.com/security/security-bulletins/AWS-2025-010/https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/https://github.com/aws-amplify/amplify-codegen-ui/commit/ca98c38b7c3d69ae7c94d2f62b51e32e8165dae6 https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3 https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8