Skip to main content

Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins

Posted on: Oct 7, 2025

Bulletin ID: AWS-2025-019
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/10/07 01:30 PM PDT

Description:

We are aware of blog posts by Embrace The Red (“The Month of AI Bugs”) describing prompt injection issues in Amazon Q Developer and Kiro.

"Amazon Q Developer: Remote Code Execution with Prompt Injection” and “Amazon Q Developer for VS Code Vulnerable to Invisible Prompt Injection."

These issues require an open chat session and intentional access to a malicious file using commands such as find, grep, or echo, which could be executed without Human-in-the-Loop (HITL) confirmation. In some cases, invisible control characters could obfuscate these commands. On July 17, 2025, we released Language Server v1.22.0, which requires HITL confirmation for these commands

"Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection."

This issue requires a developer to accept a prompt-injected suggestion including commands such as ping or dig, which could exfiltrate metadata via DNS queries without HITL confirmation. On July 29, 2025, we released Language Server v1.24.0, which requires HITL confirmation for these commands.

"AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection."

This issue requires local system access to inject instructions that lead to arbitrary code execution via Kiro IDE or MCP settings files without HITL confirmation in either Kiro's Autopilot or Supervised mode. On August 1, 2025, we released Kiro version 0.1.42, which requires HITL confirmation for these actions when configured in Supervised mode.

Amazon Q Developer and Kiro are built on the principles of agentic development, enabling developers to work more efficiently with the help of AI agents. As customers adopt AI-enhanced development workflows, we recommend they evaluate and implement appropriate security controls and policies based on their specific environments and shared responsibility models (AWSAmazon QKiro). Amazon Q Developer and Kiro provide safeguards, including Human-in-the-Loop protections and customizable execution policies, to support secure adoption.

Affected versions: 

  • Amazon Q Developer for find, grep, echo (version <1.22.0)
  • Amazon Q Developer for ping, dig: (versions <1.24.0)
  • AWS Kiro: version 0.1.42

Resolution:

Upgrade to Language Server v1.24.0 or newer by restarting the plugin, upgrading to the latest Amazon Q Developer IDE plugin, or the latest Kiro IDE application. After upgrading, these commands require HITL confirmation (when in Supervised mode for Kiro).

Acknowledgement:

We would like to thank Embrace the Red, HiddenLayer, and MaccariTA for collaborating on these issues through the coordinated vulnerability disclosure process.


Please email aws-security@amazon.com with any security questions or concerns.