Amazon Q Developer VS Code Extension Code Injection in v1.84.0
CVE-2025-8217 Published on July 30, 2025
Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.
To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
Vulnerability Analysis
CVE-2025-8217 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Embedded Malicious Code
The application contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Products Associated with CVE-2025-8217
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
Amazon Q Developer VS Code Extension:- Version 1.84.0 and below 1.85.0 is affected.
- Version sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.