CWE-506

Embedded Malicious Code

The product contains code that appears to be malicious in nature.

CVE-2024-3094 (GCVE-0-2024-3094)
Vulnerability from cvelistv5
Published
2024-03-29 16:51
Modified
2025-08-19 01:03
Severity ?
CWE
  • CWE-506 - Embedded Malicious Code
Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Impacted products
Vendor Product Version
Version: 5.6.0
Version: 5.6.1
Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3094",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-02T04:00:23.138684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T15:37:17.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-08-19T00:24:09.962Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.gentoo.org/928134"
          },
          {
            "name": "RHBZ#2272210",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/amlweems/xzbot"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/karcherm/xz-malware"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gynvael.coldwind.pl/?lang=en\u0026id=782"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lwn.net/Articles/967180/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39865810"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39877267"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39895344"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://research.swtch.com/xz-script"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://research.swtch.com/xz-timeline"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.archlinux.org/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240402-0001/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tukaani.org/xz-backdoor/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/debian/status/1774219194638409898"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/infosecb/status/1774595540233167206"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/infosecb/status/1774597228864139400"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.kali.org/blog/about-the-xz-backdoor/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xeiaso.net/notes/2024/xz-vuln/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/tukaani-project/xz",
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "versions": [
            {
              "status": "affected",
              "version": "5.6.0"
            },
            {
              "status": "affected",
              "version": "5.6.1"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Andres Freund for reporting this issue."
        }
      ],
      "datePublic": "2024-03-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Critical"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T01:03:12.439Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-3094"
        },
        {
          "name": "RHBZ#2272210",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
        },
        {
          "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-03-29T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Xz: malicious code in distributed source",
      "x_redhatCweChain": "CWE-506: Embedded Malicious Code"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-3094",
    "datePublished": "2024-03-29T16:51:12.588Z",
    "dateReserved": "2024-03-29T15:38:13.249Z",
    "dateUpdated": "2025-08-19T01:03:12.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-4978 (GCVE-0-2024-4978)
Vulnerability from cvelistv5
Published
2024-05-23 01:56
Modified
2025-07-30 01:37
CWE
  • CWE-506 - Embedded Malicious Code
Summary
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:javs:viewer:8.3.7.250:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "viewer",
            "vendor": "javs",
            "versions": [
              {
                "status": "affected",
                "version": "8.3.7.250"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-4978",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-30T11:12:54.307588Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-05-29",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4978"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:37:03.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2024-05-29T00:00:00+00:00",
            "value": "CVE-2024-4978 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:55:10.367Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/2RunJack2/status/1775052981966377148"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.javs.com/downloads/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Viewer",
          "vendor": "Justice AV Solutions",
          "versions": [
            {
              "status": "affected",
              "version": "8.3.7.250"
            }
          ]
        }
      ],
      "datePublic": "2024-05-23T00:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.\u0026nbsp;"
            }
          ],
          "value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506 Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T17:11:59.027Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "url": "https://twitter.com/2RunJack2/status/1775052981966377148"
        },
        {
          "url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
        },
        {
          "url": "https://www.javs.com/downloads/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Malicious Code in Justice AV Solutions (JAVS) Viewer",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-4978",
    "datePublished": "2024-05-23T01:56:37.946Z",
    "dateReserved": "2024-05-15T21:03:53.551Z",
    "dateUpdated": "2025-07-30T01:37:03.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-30066 (GCVE-0-2025-30066)
Vulnerability from cvelistv5
Published
2025-03-15 00:00
Modified
2025-07-30 01:36
CWE
  • CWE-506 - Embedded Malicious Code
Summary
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
References
https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193
https://github.com/tj-actions/changed-files/issues/2463
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
https://news.ycombinator.com/item?id=43368870
https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463
https://news.ycombinator.com/item?id=43367987
https://github.com/rackerlabs/genestack/pull/903
https://github.com/chains-project/maven-lockfile/pull/1111
https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
https://github.com/espressif/arduino-esp32/issues/11127
https://github.com/modal-labs/modal-examples/issues/1100
https://github.com/tj-actions/changed-files/issues/2464
https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond
https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack
https://github.com/tj-actions/changed-files/issues/2477
https://blog.gitguardian.com/compromised-tj-actions/
Impacted products
Vendor Product Version
tj-actions changed-files Version: 1   < 46
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30066",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-22T03:55:44.803134Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-03-18",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:36:16.435Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2025-03-18T00:00:00+00:00",
            "value": "CVE-2025-30066 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-18T21:05:17.427Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "changed-files",
          "vendor": "tj-actions",
          "versions": [
            {
              "lessThan": "46",
              "status": "affected",
              "version": "1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "46",
                  "versionStartIncluding": "1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506 Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-18T21:59:21.617Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193"
        },
        {
          "url": "https://github.com/tj-actions/changed-files/issues/2463"
        },
        {
          "url": "https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised"
        },
        {
          "url": "https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/"
        },
        {
          "url": "https://news.ycombinator.com/item?id=43368870"
        },
        {
          "url": "https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463"
        },
        {
          "url": "https://news.ycombinator.com/item?id=43367987"
        },
        {
          "url": "https://github.com/rackerlabs/genestack/pull/903"
        },
        {
          "url": "https://github.com/chains-project/maven-lockfile/pull/1111"
        },
        {
          "url": "https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/"
        },
        {
          "url": "https://github.com/espressif/arduino-esp32/issues/11127"
        },
        {
          "url": "https://github.com/modal-labs/modal-examples/issues/1100"
        },
        {
          "url": "https://github.com/tj-actions/changed-files/issues/2464"
        },
        {
          "url": "https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28"
        },
        {
          "url": "https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066"
        },
        {
          "url": "https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond"
        },
        {
          "url": "https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack"
        },
        {
          "url": "https://github.com/tj-actions/changed-files/issues/2477"
        },
        {
          "url": "https://blog.gitguardian.com/compromised-tj-actions/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-30066",
    "datePublished": "2025-03-15T00:00:00.000Z",
    "dateReserved": "2025-03-15T00:00:00.000Z",
    "dateUpdated": "2025-07-30T01:36:16.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-30154 (GCVE-0-2025-30154)
Vulnerability from cvelistv5
Published
2025-03-19 15:15
Modified
2025-07-30 01:36
CWE
  • CWE-506 - Embedded Malicious Code
Summary
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30154",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-25T03:55:16.734240Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-03-24",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:36:16.303Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2025-03-24T00:00:00+00:00",
            "value": "CVE-2025-30154 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "reviewdog",
          "vendor": "reviewdog",
          "versions": [
            {
              "status": "affected",
              "version": "= 1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506: Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-19T15:15:29.113Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc"
        },
        {
          "name": "https://github.com/reviewdog/reviewdog/issues/2079",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/reviewdog/reviewdog/issues/2079"
        },
        {
          "name": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887"
        },
        {
          "name": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec"
        },
        {
          "name": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup"
        }
      ],
      "source": {
        "advisory": "GHSA-qmg3-hpqr-gqvc",
        "discovery": "UNKNOWN"
      },
      "title": "Multiple Reviewdog actions were compromised during a specific time period"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-30154",
    "datePublished": "2025-03-19T15:15:29.113Z",
    "dateReserved": "2025-03-17T12:41:42.566Z",
    "dateUpdated": "2025-07-30T01:36:16.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54313 (GCVE-0-2025-54313)
Vulnerability from cvelistv5
Published
2025-07-19 00:00
Modified
2025-07-23 15:16
CWE
  • CWE-506 - Embedded Malicious Code
Summary
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Impacted products
Vendor Product Version
prettier eslint-config-prettier Version: 8.10.1   
Version: 9.1.1   
Version: 10.1.6   
Version: 10.1.7   
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-07-21T16:09:03.150Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/community-scripts/ProxmoxVE/discussions/6115"
          },
          {
            "url": "https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54313",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-23T14:43:52.086461Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T15:16:25.225Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "eslint-config-prettier",
          "vendor": "prettier",
          "versions": [
            {
              "status": "affected",
              "version": "8.10.1",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "9.1.1",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "10.1.6",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "10.1.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506 Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-19T16:43:13.088Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise"
        },
        {
          "url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"
        },
        {
          "url": "https://github.com/prettier/eslint-config-prettier/issues/339"
        },
        {
          "url": "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions"
        },
        {
          "url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise"
        },
        {
          "url": "https://news.ycombinator.com/item?id=44609732"
        },
        {
          "url": "https://news.ycombinator.com/item?id=44608811"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-54313",
    "datePublished": "2025-07-19T00:00:00.000Z",
    "dateReserved": "2025-07-19T00:00:00.000Z",
    "dateUpdated": "2025-07-23T15:16:25.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-8217 (GCVE-0-2025-8217)
Vulnerability from cvelistv5
Published
2025-07-30 00:34
Modified
2025-07-30 15:25
CWE
  • CWE-506 - Embedded Malicious Code
Summary
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.
Impacted products
Vendor Product Version
Amazon Q Developer VS Code Extension Version: 1.84.0   
Version: sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8217",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T13:23:17.479055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T15:25:16.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Q Developer VS Code Extension",
          "vendor": "Amazon",
          "versions": [
            {
              "lessThan": "1.85.0",
              "status": "affected",
              "version": "1.84.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464",
              "versionType": "git"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use.\u003c/p\u003e"
            }
          ],
          "value": "The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI.\n\n\n\nTo mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-442",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-442 Infected Software"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506 Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T00:34:06.733Z",
        "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "shortName": "AMZN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-015/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/aws/aws-toolkit-vscode/security/advisories/GHSA-7g7f-ff96-5gcw"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
    "assignerShortName": "AMZN",
    "cveId": "CVE-2025-8217",
    "datePublished": "2025-07-30T00:34:06.733Z",
    "dateReserved": "2025-07-25T21:50:50.324Z",
    "dateUpdated": "2025-07-30T15:25:16.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation

Phase: Testing

Description:

  • Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

CAPEC-448: Embed Virus into DLL

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

CAPEC-636: Hiding Malicious Data or Code within Files

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

Back to CWE stats page