Critical vulnerability in AWS Amplify Studio allows arbitrary code execution

AWS has reported and patched and addressed a critical security vulnerability in AWS Amplify Studio's amplify-codegen-ui package. 

AWS Amplify Studio is a visual development environment that allows developers to build full-stack applications by visually designing UI components, connecting them to backend data, and automatically generating React code with minimal coding required. The amplify-codegen-ui package is a core component of AWS Amplify Studio responsible for generating front-end code from UI Builder entities, including components, forms, views, and themes.

The flaw is tracked as CVE-2025-4318 (CVSS score 9.5). It stems from insufficient input validation in component schema processing. When importing a component schema using the create-component command, Amplify Studio imports and generates the component without properly validating the schema properties. This vulnerability enables authenticated users with component creation or modification permissions to inject and execute arbitrary JavaScript code during component rendering and build processes

Update - as of 5th of June 2025, there is a public PoC exploiting this flaw. 

The issue affects all versions of amplify-codegen-ui up to and including 2.20.2

Security researchers have outlined several possible consequences of successful exploitation:

• Arbitrary code execution on backend systems
• Unauthorized data exfiltration
• Service disruption through malicious scripts
• Potential supply chain attacks if compromised components spread to downstream applications

AWS has  patched this vulnerability in amplify-codegen-ui version 2.20.3. Organizations using AWS Amplify Studio should  upgrade to version 2.20.3, restrict component editing permissions to trusted users only, review existing component schemas for any unexpected or suspicious code and ensure any forked or derivative code incorporates the official fixes