PT-2025-31362 · Amazon+1 · Amazon Q Developer Visual Studio Code Extension+1
Aditya169
·
Published
2025-07-30
·
Updated
2026-01-16
·
CVE-2025-8217
CVSS v4.0
5.1
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber |
Name of the Vulnerable Software and Affected Versions
Amazon Q Developer Visual Studio Code (VS Code) extension version 1.84.0
Description
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains injected code intended to call the Q Developer CLI. This code executes upon extension launch but contains a syntax error, preventing a successful API call.
Recommendations
Upgrade to version 1.85.0.
Remove all installations of version 1.84.0.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amazon Q Developer Visual Studio Code Extension
Visual Studio Code