Description
The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
References (5)
Core 5
Core References
Various Sources
https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/
Various Sources vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-010/
Release Notes patch
https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3
Vendor Advisory vendor-advisory
https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8
Scores
CVSS v4
9.5
EPSS
0.0100
EPSS Percentile
58.2%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-95
Status
published
Products (1)
Amazon/Amplify Studio
0.1.0 - 2.20.3
Published
May 05, 2025
Tracked Since
Feb 18, 2026