CVE Details
Basic Information
| Title | Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension |
|---|---|
| Type | cve |
| Published | 2025-07-30T00:34:06.733Z |
| Modified | 2025-07-30T00:34:06.733Z |
Product Information
| Vendor | Amazon |
|---|---|
| Product | Q Developer VS Code Extension |
| Version | 1.84.0 |
CVSS Information
| Base Score | 5.1 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber |
Affected Products
- Amazon Q Developer VS Code Extension 1.84.0
- Amazon Q Developer VS Code Extension sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
Additional Information
| CWE List | CWE-506 |
|---|---|
| Source | AMZN |
Description
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.
To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.