[Redirected] Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)
Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/07/23 6:00 PM PDT Updated Date: 2025/07/25 6:00 PM PDT Description: Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE). AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217. AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments. We will update this bulletin if we have additional information to share. Affected version: Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)
CSIRTS triage
- What
- Malicious code was distributed with the extension but failed to execute due to a syntax error.
- Who is affected
- Users of the Amazon Q Developer Extension for Visual Studio Code version 1.84.0.
- Urgency
- Remediation is necessary as the malicious code was present, although it did not execute.
- Action
- Update to the latest version of the Amazon Q Developer Extension for Visual Studio Code.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Amazon Q Developer Extension for Visual Studio Code
Get an email when a new Amazon Q Developer Extension for Visual Studio Code advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-015/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-82170.20% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 10% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-8217 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01