← voltar
CVE-2025-8217

Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension

CVSS 5.1 MEDIUMEPSS 0.2%CWE-506
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber
Produtos afetados
Amazon · Q Developer VS Code Extension

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://aws.amazon.com/security/security-bulletins/AWS-2025-015/https://github.com/aws/aws-toolkit-vscode/releases/tag/amazonq%2Fv1.85.0https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw