CVE-2025-8217

MEDIUM

Amazon Q Developer VS Code <1.85.0 - Info Disclosure

Title source: llm

Description

The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-015/

[Vendor Advisory] https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw

[Release Notes] https://github.com/aws/aws-toolkit-vscode/releases/tag/amazonq%2Fv1.85.0

Scores

CVSS v3 4.0

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-506

Status published

Products (2)

Amazon/Q Developer VS Code Extension 1.84.0 - 1.85.0

Amazon/Q Developer VS Code Extension sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464

Published Jul 30, 2025

Tracked Since Feb 18, 2026