AWS CodeBuild Misconfiguration Could Have Enabled Supply Chain Attacks
In September 2025, Amazon Web Services (AWS) patched a critical misconfiguration in its AWS CodeBuild service that could have allowed attackers to take over the company’s own GitHub repositories including the AWS JavaScript SDK (aws-sdk-js-v3) potentially compromising millions of AWS environments. The vulnerability, dubbed CodeBreach by cloud security firm Wiz, was disclosed responsibly on August 25, 2025, and stemmed from a flaw in CI pipeline webhook filters.
The issue centered on insecure regular expression (regex) patterns in CodeBuild’s webhook filters, which were designed to restrict build triggers to approved GitHub user IDs (ACTOR_ID). However, the filters lacked start (^) and end ($) anchors, allowing any user ID containing an approved sequence (e.g., 755743) to bypass restrictions. Since GitHub assigns numeric IDs sequentially, Wiz researchers exploited this by generating bot accounts with predictable IDs (e.g., 226755743) to match trusted maintainers’ IDs.
Once an attacker triggered a build, they could leak GitHub admin tokens including a Personal Access Token (PAT) for the aws-sdk-js-automation user granting full repository control. This access could have enabled malicious code injection, pull request approvals, and secrets exfiltration, paving the way for supply chain attacks affecting AWS services and dependent applications.
The misconfiguration impacted four AWS-managed repositories:
- aws-sdk-js-v3 (JavaScript SDK)
- aws-lc (cryptographic library)
- amazon-corretto-crypto-provider
- awslabs/open-data-registry
AWS confirmed the flaw was project-specific and not a systemic CodeBuild issue. While no exploitation was detected, the company implemented credential rotations, enhanced build process protections, and stricter regex validation to prevent recurrence.
The incident underscores the high-risk nature of CI/CD pipelines, where minor misconfigurations can lead to large-scale breaches. Similar vulnerabilities in GitHub Actions workflows such as pull_request_target misconfigurations have previously exposed projects from Google, Microsoft, and NVIDIA to remote code execution (RCE) and secrets theft. Security researchers emphasize that untrusted code should never trigger privileged pipelines without proper validation.
Source: https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
Wiz cybersecurity rating report: https://www.rankiteo.com/company/wiz
"id": "AMAWIZ1768515615",
"linkid": "amazon-web-services, wiz",
"type": "Vulnerability",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All AWS customers (potentially)',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Amazon Web Services (AWS)',
'size': 'Large',
'type': 'Cloud Service Provider'}],
'attack_vector': 'Misconfigured CI/CD Pipeline',
'data_breach': {'data_exfiltration': 'Potential (if exploited)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Privileged credentials (GitHub '
'admin tokens, Personal Access '
'Tokens)'},
'date_detected': '2025-08-25',
'date_publicly_disclosed': '2025-09-01',
'date_resolved': '2025-09-01',
'description': 'A critical misconfiguration in Amazon Web Services (AWS) '
'CodeBuild could have allowed complete takeover of the cloud '
"service provider's own GitHub repositories, including its AWS "
'JavaScript SDK, putting every AWS environment at risk. The '
'vulnerability, codenamed CodeBreach, was discovered by cloud '
'security company Wiz and could have enabled attackers to '
'inject malicious code to launch a platform-wide compromise, '
'affecting applications depending on the SDK and the AWS '
'Console itself.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'GitHub admin tokens, repository secrets, '
'privileged credentials',
'operational_impact': 'Potential platform-wide compromise of AWS '
'environments',
'systems_affected': 'AWS CodeBuild, GitHub repositories '
'(aws-sdk-js-v3, aws-lc, '
'amazon-corretto-crypto-provider, '
'awslabs/open-data-registry)'},
'initial_access_broker': {'entry_point': 'Predictable GitHub actor ID via bot '
'user registration',
'high_value_targets': 'AWS-managed GitHub '
'repositories (e.g., '
'aws-sdk-js-v3)'},
'investigation_status': 'Resolved',
'lessons_learned': 'CI/CD pipeline security is critical, especially for '
'untrusted contributions. Misconfigurations in webhook '
'filters can lead to high-impact breaches. Anchoring regex '
'patterns and limiting PAT permissions are essential '
'mitigations.',
'post_incident_analysis': {'corrective_actions': 'Anchored regex patterns, '
'rotated credentials, '
'implemented additional '
'build process security '
'measures.',
'root_causes': 'Insufficient regex anchoring in '
'AWS CodeBuild webhook filters, '
'allowing unauthorized actor IDs to '
'trigger builds and access '
'privileged credentials.'},
'recommendations': ['Enable Pull Request Comment Approval build gate for '
'untrusted contributions',
'Use CodeBuild-hosted runners to manage build triggers '
'via GitHub workflows',
'Ensure regex patterns in webhook filters are anchored '
'(use ^ and $)',
'Generate a unique PAT for each CodeBuild project',
'Limit PAT permissions to the minimum required',
'Use a dedicated unprivileged GitHub account for '
'CodeBuild integration'],
'references': [{'date_accessed': '2025-09-01', 'source': 'The Hacker News'},
{'date_accessed': '2025-09-01',
'source': 'Wiz Research Report'},
{'date_accessed': '2025-09-01', 'source': 'AWS Advisory'}],
'response': {'communication_strategy': 'Public advisory released by AWS and '
'Wiz',
'containment_measures': 'Remediation of misconfigured webhook '
'filters, credential rotations',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Securing build processes containing GitHub '
'tokens or credentials in memory',
'remediation_measures': 'Anchoring regex patterns, enabling Pull '
'Request Comment Approval build gate, '
'using CodeBuild-hosted runners, '
'limiting PAT permissions',
'third_party_assistance': 'Wiz (cloud security company)'},
'stakeholder_advisories': 'AWS released an advisory detailing the '
'misconfiguration and remediation steps.',
'title': 'CodeBreach: AWS CodeBuild Misconfiguration Could Lead to '
'Platform-Wide Compromise',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Insufficient regex anchoring in AWS CodeBuild '
'webhook filters'}