A critical misconfiguration in AWS CodeBuild exposed several high-profile GitHub repositories to potential supply chain attacks, according to cloud security researchers at Wiz. The vulnerability, dubbed CodeBreach, was patched by Amazon in September 2025 following responsible disclosure in August.
Researchers Yuval Avrahami and Nir Ohfeld explained that the flaw could have allowed attackers to inject malicious code across AWS-managed repositories, including the widely used AWS JavaScript SDK, potentially compromising any environment relying on the SDK. “Exploiting CodeBreach could have enabled attackers to compromise not just the SDK but the AWS Console itself, affecting every AWS account,” the report stated.
How the Vulnerability Worked
The issue stemmed from a weakness in continuous integration (CI) pipelines for AWS-managed GitHub repositories. These pipelines use webhook filters to restrict builds to trusted contributors or events, typically based on GitHub user IDs, called ACTOR_IDs. However, the filters for affected repositories failed to anchor their regular expressions properly.
Without the start (^) and end ($) anchors, the regex pattern allowed any GitHub user ID containing a trusted ID as a substring to trigger a build. Because GitHub user IDs are sequential, attackers could predict future IDs and generate new bot accounts to bypass the filter. Once the filter was bypassed, attackers could trigger builds, gain Personal Access Tokens (PATs) with admin rights, and push malicious changes directly to repositories.
Affected repositories included:
- aws-sdk-js-v3
- aws-lc
- amazon-corretto-crypto-provider
- awslabs/open-data-registry
Using elevated access, attackers could approve pull requests, exfiltrate repository secrets, and compromise downstream applications—a textbook supply chain attack scenario.
AWS confirmed in an advisory that the misconfiguration was repository-specific, not a flaw in the CodeBuild service itself. Remediation included updating webhook regex patterns, rotating credentials, and tightening security around CI build processes. AWS also confirmed no evidence of exploitation in the wild.
Mitigation Recommendations
Wiz researchers and AWS recommend that organizations:
- Use anchored regex patterns for webhook filters to avoid substring matches.
- Enable Pull Request Comment Approval gates to prevent untrusted contributions from triggering privileged builds.
- Assign unique, minimally privileged PATs to each CodeBuild project.
- Use unprivileged GitHub accounts for CI/CD integrations.
- Avoid checking out untrusted code in workflows triggered by
pull_request_target.
“This is a classic example of how subtle misconfigurations in CI/CD pipelines can enable devastating attacks,” Wiz researchers noted. They emphasized that CI/CD environments handle sensitive credentials and untrusted input, making them prime targets for high-impact breaches.
The CodeBreach disclosure highlights the growing need for robust CI/CD security practices, particularly in large open-source ecosystems where a single compromised pipeline could have far-reaching consequences. Previous research has shown similar vulnerabilities in GitHub Actions workflows, where misconfigured triggers allowed attackers to escalate privileges or execute arbitrary code in multiple enterprise environments.
