Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins
Amazon Q Developer and AWS Kiro IDE plugins were found vulnerable to prompt injection attacks that could lead to remote or local code execution and secret leakage without Human-in-the-Loop (HITL) confirmation. These vulnerabilities require an open chat session and intentional access to malicious files or injected instructions. Invisible control characters could obfuscate malicious commands. AWS released mitigations in mid-2025 requiring HITL confirmation for sensitive commands in updated versions of the Language Server and Kiro IDE. Users must upgrade to Language Server v1. 24. 0 or newer and Kiro version 0. 1. 42 or later to enable these protections. The vulnerabilities affect versions prior to these releases.
AI Analysis
Technical Summary
Prompt injection vulnerabilities in Amazon Q Developer and AWS Kiro IDE plugins allow execution of commands such as find, grep, echo, ping, and dig without HITL confirmation, potentially enabling remote code execution and secret exfiltration via DNS queries. These issues require an open chat session and either intentional access to malicious files or local system access for injection. Invisible control characters can obfuscate malicious commands. AWS addressed these vulnerabilities by releasing Language Server v1.22.0 and v1.24.0, and Kiro version 0.1.42, which enforce HITL confirmation for these commands and actions, particularly in Supervised mode for Kiro. The vulnerabilities impact Amazon Q Developer versions before 1.22.0 or 1.24.0 depending on the command, and Kiro versions before 0.1.42. The mitigations rely on requiring user confirmation before executing potentially dangerous commands injected via prompts.
Potential Impact
Successful exploitation could lead to remote or local arbitrary code execution and leakage of sensitive metadata via DNS queries without user confirmation, potentially compromising developer environments. The vulnerabilities require specific conditions such as open chat sessions and intentional malicious file or instruction injection. Invisible control characters may be used to evade detection. No known exploits in the wild have been reported. The impact is critical due to the possibility of code execution and secret leakage in development environments.
Mitigation Recommendations
AWS has released official fixes: Language Server v1.22.0 and v1.24.0 for Amazon Q Developer, and Kiro version 0.1.42. These versions require Human-in-the-Loop (HITL) confirmation for executing sensitive commands and actions, especially in Supervised mode for Kiro. Users should upgrade to these versions or later by restarting the plugin or updating the IDE applications. After upgrading, the vulnerabilities are mitigated by the enforced HITL protections. Customers should also evaluate and implement security controls and policies appropriate to their environments and shared responsibility models. Patch status is confirmed as fixed in these versions.
Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins
Description
Amazon Q Developer and AWS Kiro IDE plugins were found vulnerable to prompt injection attacks that could lead to remote or local code execution and secret leakage without Human-in-the-Loop (HITL) confirmation. These vulnerabilities require an open chat session and intentional access to malicious files or injected instructions. Invisible control characters could obfuscate malicious commands. AWS released mitigations in mid-2025 requiring HITL confirmation for sensitive commands in updated versions of the Language Server and Kiro IDE. Users must upgrade to Language Server v1. 24. 0 or newer and Kiro version 0. 1. 42 or later to enable these protections. The vulnerabilities affect versions prior to these releases.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Prompt injection vulnerabilities in Amazon Q Developer and AWS Kiro IDE plugins allow execution of commands such as find, grep, echo, ping, and dig without HITL confirmation, potentially enabling remote code execution and secret exfiltration via DNS queries. These issues require an open chat session and either intentional access to malicious files or local system access for injection. Invisible control characters can obfuscate malicious commands. AWS addressed these vulnerabilities by releasing Language Server v1.22.0 and v1.24.0, and Kiro version 0.1.42, which enforce HITL confirmation for these commands and actions, particularly in Supervised mode for Kiro. The vulnerabilities impact Amazon Q Developer versions before 1.22.0 or 1.24.0 depending on the command, and Kiro versions before 0.1.42. The mitigations rely on requiring user confirmation before executing potentially dangerous commands injected via prompts.
Potential Impact
Successful exploitation could lead to remote or local arbitrary code execution and leakage of sensitive metadata via DNS queries without user confirmation, potentially compromising developer environments. The vulnerabilities require specific conditions such as open chat sessions and intentional malicious file or instruction injection. Invisible control characters may be used to evade detection. No known exploits in the wild have been reported. The impact is critical due to the possibility of code execution and secret leakage in development environments.
Mitigation Recommendations
AWS has released official fixes: Language Server v1.22.0 and v1.24.0 for Amazon Q Developer, and Kiro version 0.1.42. These versions require Human-in-the-Loop (HITL) confirmation for executing sensitive commands and actions, especially in Supervised mode for Kiro. Users should upgrade to these versions or later by restarting the plugin or updating the IDE applications. After upgrading, the vulnerabilities are mitigated by the enforced HITL protections. Customers should also evaluate and implement security controls and policies appropriate to their environments and shared responsibility models. Patch status is confirmed as fixed in these versions.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/aws-2025-019/","fetched":true,"fetchedAt":"2026-05-26T20:30:23.323Z","wordCount":426}
Threat ID: 6a1602eae29bf47b505d9f89
Added to database: 5/26/2026, 8:30:34 PM
Last enriched: 5/26/2026, 8:35:30 PM
Last updated: 5/26/2026, 9:39:21 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.