We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-8217

Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension



Description

The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.

Reserved 2025-07-25 | Published 2025-07-30 | Updated 2025-07-30 | Assigner AMZN


MEDIUM: 5.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber

MEDIUM: 4.0CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-506 Embedded Malicious Code

Product status

Default status
unaffected

1.84.0 before 1.85.0
affected

sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
affected

References

aws.amazon.com/security/security-bulletins/AWS-2025-015/ vendor-advisory

github.com/...vscode/security/advisories/GHSA-7g7f-ff96-5gcw third-party-advisory

cve.org (CVE-2025-8217)

nvd.nist.gov (CVE-2025-8217)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-8217

Support options

Helpdesk Chat, Email, Knowledgebase