Overview
On May 5, 2025, a critical vulnerability identified as CVE-2025-4318 was disclosed in AWS Amplify Studio, specifically within the aws-amplify/amplify-codegen-ui package. This flaw affects versions prior to 2.20.3 and has been categorized as a severe security risk due to improper input validation in UI component property expressions. It allows the injection and execution of arbitrary JavaScript code during component rendering and build processes.
Technical Details
This vulnerability is rooted in CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection. This means the application evaluates user-supplied inputs using functions like eval() without proper validation or sanitization, enabling attackers to execute malicious code.
In this case, any authenticated user with permissions to create or modify components in Amplify Studio can exploit this flaw by injecting JavaScript into component properties. This code would then execute during UI component generation, leading to potentially full compromise of application data and behavior.
CVSS Score and Severity
Using the CVSS 4.0 standard, this vulnerability has been assigned a base score of 9.5, indicating critical severity. The associated vector string is:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
This scoring reflects that the attack is possible over a network, requires low complexity and no user interaction or privileges, and results in high impact across confidentiality, integrity, and availability.
Potential Impacts
The identified CAPEC categories related to this vulnerability are:
- CAPEC-592: Stored XSS – Malicious scripts persist in the system and execute when rendered to users.
- CAPEC-251: Local Code Inclusion – Executing unauthorized local code on the server or build system.
These vectors signify the exploit’s ability to compromise both user data and application logic.
Affected Products
The vulnerability impacts the amplify-codegen-ui package used by Amazon Amplify Studio, affecting all versions before 2.20.3. Users of earlier versions are strongly advised to upgrade immediately to mitigate risk.
Mitigation
Amazon has addressed this vulnerability in version 2.20.3 of the package. Developers and system administrators should:
- Upgrade to the latest version of
amplify-codegen-ui. - Audit existing components for unsafe JavaScript injection patterns.
- Implement stricter access control to prevent unauthorized component modifications.
Conclusion
CVE-2025-4318 represents a critical security issue in a widely-used AWS development tool. Due to its severity and the potential for full application compromise, all users of Amplify Studio must prioritize patching and review access policies. This incident also underscores the need for robust input validation practices, particularly in dynamic code execution contexts.
For more information, refer to the official Amazon security bulletin: AWS-2025-010.