A critical misconfiguration in Amazon Web Services CodeBuild recently came to light, which could have allowed attackers to compromise GitHub repositories maintained by AWS, including the widely used aws-sdk-js-v3. Cloud security firm Wiz identified the vulnerability, codenamed CodeBreach, and reported it responsibly on August 25, 2025. AWS remediated the flaw in September 2025, confirming that the issue stemmed from project-specific misconfigurations in webhook filters rather than the CodeBuild service itself. Researchers noted that the vulnerability had the potential to enable platform-wide compromise, affecting both the Console and countless applications relying on the SDK.
The flaw arose in the continuous integration pipelines for several AWS-managed open source GitHub repositories, including aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry. These projects used an ACTOR_ID filter intended to allow builds only from trusted GitHub accounts. However, the regular expression pattern applied in these filters lacked start and end anchors, permitting any GitHub user ID that was a superstring of a trusted ID to trigger a build. Given GitHub’s sequential numeric user IDs, Wiz researchers demonstrated that attackers could predict new IDs that would bypass the filter, using automated bot accounts to generate target IDs. This misconfiguration could have allowed unauthorized users to trigger builds and acquire Personal Access Tokens with admin privileges for the repository, enabling direct code pushes, pull request approvals, and exfiltration of secrets, ultimately creating a pathway for supply chain attacks.
Exploitation of the vulnerability would have involved injecting malicious code into the affected repositories. This could have impacted not only the SDK-dependent applications but also the broader AWS ecosystem, including the Console and user accounts. Wiz researchers explained that the combination of untrusted data, privileged credentials, and complex build pipelines makes CI/CD environments a high-value target. AWS confirmed that additional measures were implemented, including credential rotations and securing build processes containing GitHub tokens, and emphasized that no evidence of exploitation in the wild was found. The incident underscores the importance of careful CI/CD configuration and validation, particularly for repositories linked to critical cloud infrastructure components.
To mitigate risks associated with similar vulnerabilities, security experts advise restricting builds triggered by untrusted pull requests, anchoring regex patterns in webhook filters, using unique PATs for each CodeBuild project with minimal permissions, and employing unprivileged GitHub accounts for CI/CD integration. Misconfigurations in workflows like pull_request_target can escalate from untrusted contributions into remote code execution on GitHub-hosted or self-hosted runners, highlighting the need for strict validation of code before checkout. Previous research by Orca Security and Sysdig has shown that improper workflow settings in high-profile projects from Google, Microsoft, and NVIDIA could lead to repository compromise, demonstrating that CI/CD security remains a critical component of software supply chain defense. CodeBreach serves as a reminder of how subtle errors in CI/CD configuration can create far-reaching security risks in cloud and open source environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
