TLDR: Amazon Web Services (AWS) has released patches for its Amazon Q Developer Visual Studio Code extension after security researcher Johann Rehberger demonstrated critical prompt injection and remote code execution (RCE) vulnerabilities. Despite the fixes, AWS has opted not to issue a Common Vulnerabilities and Exposures (CVE) identifier for these specific flaws, asserting they do not meet the criteria for such classification, a stance that has drawn criticism from the disclosing researcher.
Amazon Web Services (AWS) has quietly rolled out security patches for its Amazon Q Developer Visual Studio Code extension, a popular AI-powered coding assistant with over one million downloads. The updates address significant security vulnerabilities, including prompt injection and remote code execution (RCE), which were publicly demonstrated by AI security researcher Johann Rehberger.
Rehberger’s findings, detailed in a series of technical write-ups, revealed that Amazon Q Developer could be coerced through prompt injection to leak sensitive information, such as API keys, directly from a developer’s machine. Furthermore, the vulnerabilities allowed for remote code execution, posing a severe risk of system compromise. The core issue, according to Rehberger, stems from the extension’s interaction with data and its predefined tools, enabling the AI agent to run bash commands and exfiltrate data without explicit developer consent. “It is vulnerable to prompt injection from untrusted inputs and its security depends heavily on model behavior,” Rehberger stated. “Amazon Q can be hijacked to run bash commands that allow leaking of sensitive information without the developer’s consent.”
In response to these disclosures, AWS updated the underlying language server to version 1.24.0, which is part of the Amazon Q Developer Extension for VS Code. This new version reportedly “requires additional human-in-the-loop approval” to mitigate the demonstrated behaviors.
However, a notable aspect of AWS’s response is its decision not to issue a CVE for these prompt injection and RCE vulnerabilities. An AWS spokesperson informed The Register that these issues do not meet the CVE Numbering Authority (CNA) program criteria. The spokesperson elaborated, “This is not a vulnerability in the same way executing any other deliberately malicious code is not considered a vulnerability.” AWS advises its customers to “follow security best practices to avoid executing deliberately malicious code.”
This position has been met with disagreement from Rehberger, who believes AWS should be more transparent. “Even though Amazon fixed all vulnerabilities that I reported, which is good, AWS did not issue a public advisory or CVE for the vulnerabilities to inform customers about the patches,” he commented.
Also Read:
- Fortifying AI: The Evolving Landscape of Generative AI Security
- Qualys Unveils AI-Powered Agent Vikram for Autonomous Cloud Risk Management
It is important to distinguish these prompt injection and RCE issues from a separate, earlier security incident involving Amazon Q Developer. An AWS security bulletin from July 23, 2025, detailed a vulnerability (CVE-2025-8217) where an inappropriately scoped GitHub token allowed a threat actor to commit malicious code into the extension’s open-source repository. Although this malicious code was distributed in version 1.84.0, it failed to execute due to a syntax error. AWS subsequently released version 1.85.0 and removed 1.84.0 from distribution, urging users to update. The prompt injection and RCE vulnerabilities disclosed by Rehberger are distinct from this earlier incident, despite both affecting the Amazon Q Developer extension and highlighting the ongoing challenges in securing AI-powered development tools.
