VDB
CVE-2025-4318
CVE-2025-4318
PUBLISHED
CVSS 9.5 CRITICAL
The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
EPSS 0.24% · 46.8th percentile
Risk Scores
CVSS 4.0
9.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Score
0.24%
46.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Amplify Studio | 0.1.0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- CIRCL seen: CVE-2025-4318 (circl-sighting)
- https://github.com/aws-amplify/amplify-codegen-ui/commit/ca98c38b7c3d69ae7c94d2f62b51e32e8165dae6 (circl)
…and 10 more exploits
Timeline
- May 5, 2025 CVE Published
- May 5, 2025 PoC Published
- May 5, 2025 PoC Published
- May 5, 2025 PoC Published
- May 6, 2025 EPSS Score
- May 6, 2025 PoC Published
- May 7, 2025 PoC Published
- May 7, 2025 PoC Published
- May 18, 2025 EPSS Score
- May 29, 2025 EPSS Score
- Jun 6, 2025 PoC Published
- Jun 7, 2025 PoC Published
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-010/ vendor-advisory
- https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3 patch
- https://github.com/aws-amplify/amplify-codegen-ui/security/advisories/GHSA-hf3j-86p7-mfw8 vendor-advisory
- https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/ exploit
- https://github.com/aws-amplify/amplify-codegen-ui/commit/ca98c38b7c3d69ae7c94d2f62b51e32e8165dae6 url