Amazon Kiro IDE is vulnerable to a high-severity access control flaw that allows remote attackers to execute arbitrary commands.

The file write tool lacks sufficient access control restrictions. Unauthenticated attackers can provide crafted instructions to overwrite sensitive files like .vscode/tasks.json, forcing the IDE to execute malicious commands when a folder is opened.

The CVSS score of 8.8 underscores the danger of this vulnerability, which allows for unauthorized command execution on the developer's workstation. This could lead to source code theft, the injection of malicious code into development projects, or the lateral movement of attackers into the corporate network.

Immediate Action: Update Kiro IDE to version 0.11 or later.

Proactive Monitoring: Audit development environments for unusual file modifications or unexpected task executions.

Compensating Controls: Ensure that workstations are protected by endpoint detection and response (EDR) solutions that can flag suspicious IDE behaviors.

Public Exploit Available: false

Developers and organizations using Amazon Kiro IDE should update to version 0.11 immediately. Given that this vulnerability targets common development workflows, it is vital to treat this as a high-priority update to prevent the compromise of local development environments.