A high-severity vulnerability has been identified in the Kiro IDE, which could allow an attacker to take control of a developer's workstation. By tricking a user into opening a project with a specially crafted folder name, an attacker can execute arbitrary commands on the system. This could lead to data theft, malware installation, or further intrusion into the corporate network.

This is an arbitrary command injection vulnerability within the Kiro GitLab Merge-Request helper component of the Kiro IDE. The vulnerability is triggered when the IDE processes a workspace folder with a specially crafted name containing malicious commands. An attacker can exploit this by convincing a user to clone and open a malicious repository or project. When the helper utility processes the folder name, it fails to properly sanitize the input before passing it to a system shell, allowing the embedded commands to be executed with the permissions of the user running the IDE.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation allows an attacker to execute arbitrary commands on an affected developer's workstation. The potential consequences include theft of sensitive intellectual property such as source code, API keys, and internal credentials; installation of malware, spyware, or ransomware; and using the compromised machine as a pivot point for lateral movement into the broader corporate network. This poses a significant risk to data confidentiality, integrity, and the overall security of the development environment.

Immediate Action: Apply the security updates provided by the vendor immediately to patch the vulnerability. Following the update, monitor systems for any signs of exploitation attempts by reviewing application and system access logs for suspicious activity.

Proactive Monitoring: Security teams should monitor for suspicious child processes being spawned by the Kiro IDE process (e.g., cmd.exe, powershell.exe, /bin/sh, /bin/bash). Monitor endpoint detection and response (EDR) logs for unusual file modifications or network connections originating from the IDE. Scrutinize network traffic for unexpected outbound connections from developer workstations to unknown destinations.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use application control or whitelisting solutions to restrict the Kiro IDE from executing shell commands or other unauthorized processes.
• Enforce strict network egress filtering on developer workstations to block unauthorized outbound connections.
• Educate developers on the risks of cloning and opening projects from untrusted or unverified sources.

Public Exploit Available: false

Given the high-severity CVSS score of 7.8 and the potential for complete system compromise, it is strongly recommended that organizations prioritize the immediate deployment of the vendor-supplied patches to all affected Kiro IDE installations. While this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for enabling data theft and lateral movement warrants urgent attention. If patching is delayed, implement the suggested compensating controls and proactive monitoring to reduce the risk of exploitation.