CVE-2025-4318

CRITICAL

AWS Amplify Studio - Code Injection

Title source: llm

Description

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.

References (5)

[Various Sources] https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-010/

[Release Notes] https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3

[Vendor Advisory] https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8

[Patch] https://github.com/aws-amplify/amplify-codegen-ui/commit/ca98c38b7c3d69ae7c94d2f62b51e32e8165dae6

View Patch ZIP pw:eip

Scores

CVSS v4 9.5

EPSS 0.0024

EPSS Percentile 46.5%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-95

Status published

Products (1)

Amazon/Amplify Studio 0.1.0 - 2.20.3

Published May 05, 2025

Tracked Since Feb 18, 2026