CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

[Redirected] Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)

unknownCVE-2025-8217
Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/07/23 6:00 PM PDT Updated Date: 2025/07/25 6:00 PM PDT Description: Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE). AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217. AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments. We will update this bulletin if we have additional information to share. Affected version: Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)

CSIRTS triage

What
Malicious code was distributed with the extension but failed to execute due to a syntax error.
Who is affected
Users of the Amazon Q Developer Extension for Visual Studio Code version 1.84.0.
Urgency
Remediation is necessary as the malicious code was present, although it did not execute.
Action
Update to the latest version of the Amazon Q Developer Extension for Visual Studio Code.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Amazon Q Developer Extension for Visual Studio Code

Get an email when a new Amazon Q Developer Extension for Visual Studio Code advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-015/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-8217coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from AWS Security Bulletins