CVE-2025-8217
Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/07/23 6:00 PM PDT Updated Date: 2025/07/25 6:00 PM PDT Description: Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE). AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217. AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments. We will update this bulletin if we have additional information to share. Affected version: Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)
CSIRTS triage
- What
- Malicious code was distributed with the extension but failed to execute due to a syntax error.
- Who is affected
- Users of the Amazon Q Developer Extension for Visual Studio Code version 1.84.0.
- Urgency
- Remediation is necessary as the malicious code was present, although it did not execute.
- Action
- Update to the latest version of the Amazon Q Developer Extension for Visual Studio Code.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2025-8217
Get an email if CVE-2025-8217 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.20% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 10% of all EPSS-scored CVEs.
Advisory coverage (2)
- unknown[Redirected] Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)aws · 2026-06-05
- unknown[Redirected] Memory Dump Issue in AWS CodeBuildaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-8217)