- Wiz discovered AWS CodeBuild misconfiguration enabling unauthorized privileged builds, dubbed “CodeBreach.”
- Flaw risked exposing GitHub tokens and enabling supply chain attacks across AWS projects
- AWS fixed issue within 48 hours; no abuse detected, users urged to secure CI/CD setups
A critical misconfiguration in Amazon Web Services (AWS) CodeBuild service exposed several AWS-managed GitHub repositories to potential supply chain attacks, experts have warned.
Security researchers Wiz discovered the flaw and reported it to AWS, thus helping remedy the issue.
AWS CodeBuild is a fully managed Amazon Web Services service that automatically builds and packages source code as part of a CI/CD pipeline. It runs build jobs in isolated environments and scales on demand.
CodeBreach
Wiz’s report outlines how the misconfiguration was in how AWS CodeBuild checked which GitHub users were allowed to trigger build jobs. The system used a pattern that did not require an exact match, allowing attackers to predict, and obtain, new IDs that contained approved IDs as substrings, bypassing the filter and triggering privileged builds.
This allowed untrusted users to start privileged build processes which could, in turn, expose powerful GitHub access tokens stored in the build environment.
The vulnerability, named “CodeBreach”, could have thus enabled platform-wide compromise, potentially impacting countless applications and AWS customers by distributing backdoored software updates.
Luckily, it seems Wiz picked it up before any malicious actors could, since there is no evidence CodeBreach was abused in the wild.
AWS apparently corrected the misconfigured webhook filters, rotated credentials, secured build environments, and “added additional safeguards”. The company also stated that the issue was project-specific and not a flaw in the CodeBuild service itself.
“AWS investigated all reported concerns highlighted by Wiz’s research team in ‘Infiltrating the AWS Console Supply Chain: Hijacking Core AWS GitHub Repositories via CodeBuild.’,” it said in a statement shared with Wiz.
“In response, AWS took a number of steps to mitigate all issues discovered by Wiz, as well as additional steps and mitigations to protect against similar possible future issues. The core issue of actor ID bypass due to unanchored regexes for the identified repos was mitigated within 48 hours of first disclosure. Additional mitigations were implemented, including further protections of all build processes that contain Github tokens or any other credentials in memory.
“In addition, AWS audited all other public build environments to ensure that no such issues exist across the AWS open source estate. Finally, AWS audited the logs of all public build repositories as well as associated CloudTrail logs and determined that no other actor had taken advantage of the unanchored regex issue demonstrated by the Wiz research team.
“AWS determined there was no impact of the identified issue on the confidentiality or integrity of any customer environment or any AWS service.”
Wiz reported the misconfiguration to AWS in late August 2025, and the latter fixed it soon after. However, both companies recommend users review their CI/CD configurations, anchor webhook regex filters, limit token privileges, and make sure untrusted pull requests cannot trigger privileged build pipelines.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
link