Critical AWS CodeBuild Flaw Exposes GitHub Repositories to Potential Hijacking
A significant security vulnerability has been identified within Amazon Web Services’ (AWS) CodeBuild, potentially allowing unauthorized individuals to gain control over essential AWS-owned GitHub repositories. This flaw, if exploited, could have led to the injection of malicious code into widely used applications, including the AWS Console, thereby posing a substantial risk to numerous AWS environments.
Understanding the Vulnerability
The issue, termed CodeBreach, was brought to light by security researchers at Wiz Research. It stemmed from improperly configured regular expression patterns in CodeBuild’s webhook filters, specifically concerning the ACTOR_ID parameter. These filters are designed to restrict build processes to trusted GitHub user IDs. However, due to the absence of anchoring characters (i.e., ^ and $), the filters could match any user ID containing an approved substring. This oversight allowed attackers to exploit eclipse events, where new, longer GitHub IDs incorporate older maintainer IDs, thereby bypassing the intended restrictions.
Mechanism of Exploitation
GitHub assigns user IDs sequentially, generating approximately 200,000 new IDs daily. This rapid assignment increases the likelihood of ID overlaps, especially for the targeted 6-7 digit IDs associated with specific AWS repositories. The repositories affected include:
– aws/aws-sdk-js-v3
– aws/aws-lc
– corretto/amazon-corretto-crypto-provider
– awslabs/open-data-registry
Attackers could exploit this vulnerability by mass-creating GitHub Apps through the manifest flow, aiming to obtain eclipse IDs. Subsequently, they could submit pull requests that trigger privileged builds.
Proof of Concept and Potential Impact
In a proof-of-concept demonstration targeting the aws/aws-sdk-js-v3 repository (specifically pull request #7280), concealed payload code was used to extract a GitHub Personal Access Token (PAT) from the aws-sdk-js-automation account. This extraction occurred despite previous mitigations implemented following the 2025 Amazon Q incident.
The compromised PAT provided extensive permissions, including repository access and administrative control over repository hooks. This access enabled attackers to invite collaborators for administrative escalation and to push changes directly to the main branch.
The potential compromise of the JavaScript SDK posed a significant threat, as it could have led to the distribution of malicious code in its weekly NPM releases. Such a scenario would have impacted approximately 66% of scanned cloud environments and the AWS Console itself, which integrates recent SDK versions containing user credentials.
Furthermore, the stolen PAT granted control over related private repositories, amplifying the risks associated with supply chain attacks. This situation bore similarities to previous incidents like the Nx S1ngularity or the Amazon Q attack (AWS-2025-015). Wiz Research responsibly disclosed these findings to AWS on August 25, 2025, after halting further escalation.
AWS’s Response and Mitigation Measures
AWS acted promptly to address the identified flaw. Within 48 hours, the company:
– Corrected the regular expression misconfiguration.
– Revoked compromised tokens.
– Enhanced memory protection mechanisms.
– Conducted thorough audits of public build processes.
– Confirmed, through log analysis, that no exploitation had occurred.
AWS assured customers that no data was compromised during this period. To further bolster security, AWS introduced new features, including Pull Request Comment Approval and CodeBuild-hosted runners, designed to block untrusted builds.
Recommendations for Users
To mitigate similar risks, users are advised to:
– Anchor webhook regular expressions to prevent unintended matches.
– Utilize fine-grained Personal Access Tokens with minimal necessary scopes.
– Implement approval gates for pull requests.
– Regularly scan for vulnerable configurations using tools like Wiz queries.
AWS also recommends disabling automatic build processes for pull requests originating from untrusted sources. This incident underscores the importance of securing Continuous Integration and Continuous Deployment (CI/CD) pipelines, which are inherently complex, privilege-rich, and exposed to untrusted inputs.
Conclusion
The discovery and swift remediation of the CodeBreach vulnerability highlight the critical need for vigilant security practices in managing CI/CD pipelines. As these systems become increasingly integral to software development, ensuring their security is paramount to prevent potential supply chain attacks that could have far-reaching consequences.
