CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins

unknown
Bulletin ID: AWS-2025-019 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/10/07 01:30 PM PDT Description: We are aware of blog posts by Embrace The Red (“The Month of AI Bugs”) describing prompt injection issues in Amazon Q Developer and Kiro. Amazon Q Developer: Remote Code Execution with Prompt Injection” and “Amazon Q Developer for VS Code Vulnerable to Invisible Prompt Injection. These issues require an open chat session and intentional access to a malicious file using commands such as find, grep, or echo, which could be executed without Human-in-the-Loop (HITL) confirmation. In some cases, invisible control characters could obfuscate these commands. On July 17, 2025, we released Language Server v1.22.0, which requires HITL confirmation for these commands Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection. This issue requires a developer to accept a prompt-injected suggestion including commands such as ping or dig, which could exfiltrate metadata via DNS queries without HITL confirmation. On July 29, 2025, we released Language Server v1.24.0, which requires HITL confirmation for these commands. AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection. This issue requires local system access to inject instructions that lead to arbitrary code execution via Kiro IDE or MCP settings files without HITL confirmation in either Kiro's Autopilot or Supervised mode. On August 1, 2025, we released Kiro version 0.1.42, which requires HITL confirmation for these actions when configured in Supervised mode. Amazon Q Developer and Kiro are built on the principles of agentic development, enabling developers to work more efficiently with the help of AI agents. As customers adopt AI-enhanced development workflows, we recommend they evaluate and implement appropriate security controls and policies based on their specific environments and shared responsibility models (AWS, Amazon Q, Kiro). Amazon Q Developer and Kiro provide safegu

CSIRTS triage

What
There are prompt injection issues that could lead to remote code execution.
Who is affected
Users of the Kiro IDE plugin who have open chat sessions and access to malicious files.
Urgency
Remediation is important due to the potential for remote code execution, although exploitation requires specific conditions.
Action
Update to the latest version that requires Human-in-the-Loop confirmation for commands.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Kiro

Get an email when a new Kiro advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-019/

Recent advisories for Amazon Q Developer

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from AWS Security Bulletins