CVE-2025-4318
Input validation issue in AWS Amplify Studio UI component properties
Severity Score
9.5
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-05-05 CVE Reserved
- 2025-05-05 CVE Published
- 2025-05-05 CVE Updated
- 2025-05-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CAPEC
- CAPEC-251: Local Code Inclusion
- CAPEC-592: Stored XSS
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Amazon Search vendor "Amazon" | Amplify Studio Search vendor "Amazon" for product "Amplify Studio" | >= 0.1.0 < 2.20.3 Search vendor "Amazon" for product "Amplify Studio" and version " >= 0.1.0 < 2.20.3" | en |
Affected
| ||||||