CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.

CVSS

No CVSS.

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-010/
https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/
https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8

Configurations

No configuration.

History

10 Jun 2025, 01:15

Type	Values Removed	Values Added
References		() https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/ - () https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8 -
Summary		(es) Las expresiones de propiedad del componente de interfaz de usuario de AWS Amplify Studio en el paquete aws-amplify/amplify-codegen-ui carecen de validación de entrada. Esto podría permitir que un usuario autenticado con acceso para crear o modificar componentes ejecute código JavaScript arbitrario durante el proceso de renderizado y compilación de componentes.

05 May 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-05 19:15

Updated : 2025-06-10 01:15

NVD link : CVE-2025-4318

Mitre link : CVE-2025-4318

CVE.ORG link : CVE-2025-4318

JSON object : View

Products Affected

No product.

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2025-4318", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-05T19:15:57.847", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-010/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-95"}]}], "descriptions": [{"lang": "en", "value": "The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process."}, {"lang": "es", "value": "Las expresiones de propiedad del componente de interfaz de usuario de AWS Amplify Studio en el paquete aws-amplify/amplify-codegen-ui carecen de validaci\u00f3n de entrada. Esto podr\u00eda permitir que un usuario autenticado con acceso para crear o modificar componentes ejecute c\u00f3digo JavaScript arbitrario durante el proceso de renderizado y compilaci\u00f3n de componentes."}], "lastModified": "2025-06-10T01:15:23.483", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}