Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins
Bulletin ID: AWS-2025-019 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/10/07 01:30 PM PDT Description: We are aware of blog posts by Embrace The Red (“The Month of AI Bugs”) describing prompt injection issues in Amazon Q Developer and Kiro. Amazon Q Developer: Remote Code Execution with Prompt Injection” and “Amazon Q Developer for VS Code Vulnerable to Invisible Prompt Injection. These issues require an open chat session and intentional access to a malicious file using commands such as find, grep, or echo, which could be executed without Human-in-the-Loop (HITL) confirmation. In some cases, invisible control characters could obfuscate these commands. On July 17, 2025, we released Language Server v1.22.0, which requires HITL confirmation for these commands Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection. This issue requires a developer to accept a prompt-injected suggestion including commands such as ping or dig, which could exfiltrate metadata via DNS queries without HITL confirmation. On July 29, 2025, we released Language Server v1.24.0, which requires HITL confirmation for these commands. AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection. This issue requires local system access to inject instructions that lead to arbitrary code execution via Kiro IDE or MCP settings files without HITL confirmation in either Kiro's Autopilot or Supervised mode. On August 1, 2025, we released Kiro version 0.1.42, which requires HITL confirmation for these actions when configured in Supervised mode. Amazon Q Developer and Kiro are built on the principles of agentic development, enabling developers to work more efficiently with the help of AI agents. As customers adopt AI-enhanced development workflows, we recommend they evaluate and implement appropriate security controls and policies based on their specific environments and shared responsibility models (AWS, Amazon Q, Kiro). Amazon Q Developer and Kiro provide safegu
CSIRTS triage
- What
- There are prompt injection issues that could lead to remote code execution.
- Who is affected
- Users of the Kiro IDE plugin who have open chat sessions and access to malicious files.
- Urgency
- Remediation is important due to the potential for remote code execution, although exploitation requires specific conditions.
- Action
- Update to the latest version that requires Human-in-the-Loop confirmation for commands.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Kiro
Get an email when a new Kiro advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-019/
Recent advisories for Amazon Q Developer
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01