Critical AWS Amplify Studio Vulnerability Let Attackers Execute Arbitrary Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security vulnerability in AWS Amplify Studio has been identified, potentially allowing authenticated users to execute arbitrary JavaScript code during component rendering and build processes.
Amazon Web Services (AWS) disclosed and patched this high-severity flaw, tracked as CVE-2025-4318, on May 5, 2025.
The issue underscores the urgent need for robust input validation in modern development tools, especially as organizations increasingly rely on platforms like Amplify Studio to accelerate front-end development and streamline cloud deployments.
AWS Amplify Studio Vulnerability
The vulnerability specifically affects the amplify-codegen-ui package, a core component of AWS Amplify Studio that generates front-end code from UI Builder entities (components, forms, views, and themes).
This package is used primarily in Amplify Studio for component previews and in the AWS Command Line Interface (CLI) for generating component files in customers’ local applications.
According to the official AWS security bulletin, the vulnerability stems from insufficient input validation in the expression-binding function of the Amplify Studio UI component properties.
When importing a component schema using the create-component command, Amplify Studio imports and generates the component without properly validating the component schema properties before converting them to expressions.
The vulnerability has received a critical CVSS v4 score of 9.5, highlighting its serious nature and potential impact.
Exploitation of this vulnerability requires an authenticated user with permissions to create or modify components within Amplify Studio. Such a user could potentially inject and execute arbitrary JavaScript code during the component rendering and build process.
Security researchers have outlined several potential impacts of successful exploitation:
“As a result, an authenticated user who can create or modify components could run arbitrary JavaScript code during the component rendering and build process,” states the AWS advisory.
Risk Factors Details Affected ProductsAWS Amplify Studio (amplify-codegen-ui) ≤2.20.2ImpactArbitrary JavaScript code executionExploit PrerequisitesAuthenticated user with privileges to create or modify componentsCVSS 3.1 Score9.5 (Critical)
Mitigation
AWS has addressed the vulnerability by releasing version 2.20.3 of the amplify-codegen-ui package.
According to security experts, organizations using AWS Amplify Studio should take immediate action to protect their systems.
Key mitigation steps include:
For ongoing protection, security analysts recommend implementing additional safeguards:
The vulnerability was reported through the coordinated issue disclosure process by Ray the bounty hunter.
This incident highlights the importance of rigorous input validation in low-code development environments, particularly those handling component generation and rendering. AWS has confirmed that no active exploits were detected in the wild prior to patching.
#AWS #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Critical AWS Amplify Studio Vulnerability Let Attackers Execute Arbitrary Code
Author: Guru BaranA critical security vulnerability in AWS Amplify Studio has been identified, potentially allowing authenticated users to execute arbitrary JavaScript code during component rendering and build processes.
Amazon Web Services (AWS) disclosed and patched this high-severity flaw, tracked as CVE-2025-4318, on May 5, 2025.
The issue underscores the urgent need for robust input validation in modern development tools, especially as organizations increasingly rely on platforms like Amplify Studio to accelerate front-end development and streamline cloud deployments.
AWS Amplify Studio Vulnerability
The vulnerability specifically affects the amplify-codegen-ui package, a core component of AWS Amplify Studio that generates front-end code from UI Builder entities (components, forms, views, and themes).
This package is used primarily in Amplify Studio for component previews and in the AWS Command Line Interface (CLI) for generating component files in customers’ local applications.
According to the official AWS security bulletin, the vulnerability stems from insufficient input validation in the expression-binding function of the Amplify Studio UI component properties.
When importing a component schema using the create-component command, Amplify Studio imports and generates the component without properly validating the component schema properties before converting them to expressions.
The vulnerability has received a critical CVSS v4 score of 9.5, highlighting its serious nature and potential impact.
Exploitation of this vulnerability requires an authenticated user with permissions to create or modify components within Amplify Studio. Such a user could potentially inject and execute arbitrary JavaScript code during the component rendering and build process.
Security researchers have outlined several potential impacts of successful exploitation:
- Arbitrary code execution on backend systems.
- Unauthorized data exfiltration.
- Service disruption through malicious scripts.
- Potential for supply chain attacks if compromised components spread to downstream applications.
“As a result, an authenticated user who can create or modify components could run arbitrary JavaScript code during the component rendering and build process,” states the AWS advisory.
Risk Factors Details Affected ProductsAWS Amplify Studio (amplify-codegen-ui) ≤2.20.2ImpactArbitrary JavaScript code executionExploit PrerequisitesAuthenticated user with privileges to create or modify componentsCVSS 3.1 Score9.5 (Critical)
Mitigation
AWS has addressed the vulnerability by releasing version 2.20.3 of the amplify-codegen-ui package.
According to security experts, organizations using AWS Amplify Studio should take immediate action to protect their systems.
Key mitigation steps include:
- Immediate Upgrade : Update to amplify-codegen-ui version 2.20.3 via the AWS CLI or Amplify Studio interface.
- Audit Custom Components : Review all component schemas for unexpected or suspicious code snippets.
- Restrict Permissions : Limit component editing rights to trusted users only.
- Patch Forked Code : Ensure any forked or derivative code incorporates the official fixes.
For ongoing protection, security analysts recommend implementing additional safeguards:
- Monitor build logs for unusual activity in component rendering pipelines.
- Enable AWS CloudTrail to track API calls related to component modifications.
- Validate third-party components by scanning imported schemas for untrusted code.
The vulnerability was reported through the coordinated issue disclosure process by Ray the bounty hunter.
This incident highlights the importance of rigorous input validation in low-code development environments, particularly those handling component generation and rendering. AWS has confirmed that no active exploits were detected in the wild prior to patching.
#AWS #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
