In May 2025, AWS disclosed a critical remote code execution (RCE) vulnerability, CVE-2025-4318, in the @aws-amplify/codegen-ui package—a core dependency for AWS Amplify Studio’s UI code generation pipeline.
The flaw, rated 9.5 on the CVSS scale, stemmed from improper input validation in the expression-binding logic that processes user-defined JavaScript expressions within UI component schemas.
https://gbhackers.com/rce-vulnerability ... fy-studio/