A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider’s own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.
The vulnerability has been codenamed CodeBreach by cloud security company Wiz. The issue was fixed by AWS in September 2025 following responsible disclosure on August 25, 2025.
“By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account,” researchers Yuval Avrahami and Nir Ohfeld said in a report shared with The Hacker News.
The flaw, Wiz noted, is the result of a weakness in the continuous integration (CI) pipelines that could have enabled unauthenticated attackers to breach the build environment, leak privileged credentials like GitHub admin tokens, and then use them to push malicious changes to the compromised repository – creating a pathway for supply chain attacks.
Put differently, the issue undermines webhook filters introduced by AWS to ensure that only certain events trigger a CI build. For example, AWS CodeBuild can be configured such that a build is triggered only when code changes are committed to a specific branch or when a GitHub or GitHub Enterprise Server account ID (aka ACTOR_ID or actor ID) matches the regular expression pattern. These filters serve to secure against untrusted pull requests.
The misconfiguration impacted the following AWS-managed open source GitHub repositories, which are configured to run builds on pull requests –
- aws-sdk-js-v3
- aws-lc
- amazon-corretto-crypto-provider
- awslabs/open-data-registry
The four projects, which implemented an ACTOR_ID filter, suffered from a “fatal flaw” in that they failed to include two characters to ensure – namely the start ^ and end $ anchors – necessary to yield an exact regular expression (regex) match. Instead, the regex pattern allowed any GitHub user ID that was a superstring of an approved ID (e.g., 755743) to bypass the filter and trigger the build.
Because GitHub assigns numeric user IDs sequentially, Wiz said it was able to predict that the new user IDs (currently 9-digits long) would “eclipse” a trusted maintainer’s six-digit ID approximately every five days. This insight, coupled with the use of GitHub Apps to automate app creation (which, in turn, creates a corresponding bot user), made it possible to generate a target ID (e.g., 226755743) by triggering hundreds of new bot user registrations.
Armed with the actor ID, an attacker can now trigger a build and obtain the GitHub credentials of the aws-sdk-js-v3 CodeBuild project, a Personal Access Token (PAT) belonging to the aws-sdk-js-automation user, which has full admin privileges over the repository.
The attacker can weaponize this elevated access to push code directly to the main branch, approve…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
