CVE-2025-4318

 

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
https://nvd.nist.gov/vuln/detail/CVE-2025-4318

Categories

CWE-95 : Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) If possible, refactor your code so that it does not need to use eval() at all. Framework for LLM applications allows eval injection via a crafted response from a hosting provider. Python compiler uses eval() to execute malicious strings as Python code. Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV. Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV. Eval injection in PHP program. Eval injection in Perl program. Eval injection in Perl program using an ID that should only contain hyphens and numbers. Direct code injection into Perl eval function. Eval injection in Perl program. Direct code injection into Perl eval function. Direct code injection into Perl eval function. MFV. code injection into PHP eval statement using nested constructs that should not be nested. MFV. code injection into PHP eval statement using nested constructs that should not be nested. Code injection into Python eval statement from a field in a formatted file. Eval injection in Python program. chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement. Chain: Execution after redirect triggers eval injection.

References


 

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
35 Leverage Executable Code in Non-Executable Files
Very High

MITRE

Techniques

id description
T1027.006 Obfuscated Files or Information: HTML Smuggling
T1027.009 Obfuscated Files or Information: Embedded Payloads
T1564.009 Hide Artifacts: Resource Forking
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
M1048 Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.
M1040 On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.
M1013 Configure applications to use the application bundle structure which leverages the <code>/Resources</code> folder location.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.