Vulnerability Description
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-015/
- https://github.com/aws/aws-toolkit-vscode/releases/tag/amazonq%2Fv1.85.0
- https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gc
FAQ
What is CVE-2025-8217?
CVE-2025-8217 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS...
How severe is CVE-2025-8217?
CVE-2025-8217 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-8217?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.