- Wiz discovered misconfiguration of AWS CodeBuild that enabled unauthorized privileged builds, called “CodeBreach”.
- Flaws risked exposing GitHub tokens and enabling supply chain attacks across AWS projects
- AWS resolved the issue within 48 hours; no abuse detected, users are encouraged to secure CI/CD setups
A critical misconfiguration in the Amazon Web Services (AWS) CodeBuild service exposed several AWS-managed GitHub repositories to potential supply chain attacks, experts have warned.
Security researchers Wiz discovered the bug and reported it to AWS, helping to fix the problem.
AWS CodeBuild is a fully managed Amazon Web Services service that automatically builds and packages source code as part of a CI/CD pipeline. It runs build jobs in isolated environments and scales as needed.
CodeBreach
Wiz’s report outlines how the misconfiguration was in how AWS CodeBuild controlled which GitHub users were allowed to trigger build jobs. The system used a pattern that did not require an exact match, which allowed attackers to predict and obtain new IDs that contained authorized IDs as substrings, bypassing the filter and triggering privileged builds.
This allowed untrusted users to launch privileged build processes, which in turn could expose powerful GitHub access tokens stored in the build environment.
The vulnerability, dubbed “CodeBreach,” could thus have enabled platform-wide compromise, potentially affecting countless applications and AWS customers by distributing backdoor software updates.
Fortunately, Wiz seems to have caught it before any malicious actors could, as there is no evidence that CodeBreach was abused in the wild.
AWS apparently corrected the misconfigured webhook filters, rotated credentials, secured build environments, and “added additional security measures.” The company also stated that the problem was project-specific and not a bug in the CodeBuild service itself.
“AWS investigated all reported concerns highlighted by Wiz’s research team in ‘Infiltrating the AWS Console Supply Chain: Hijacking Core AWS GitHub Repositories via CodeBuild.'” a statement shared with Wiz said.
“In response, AWS took a number of steps to mitigate all issues discovered by Wiz, as well as additional steps and restrictions to protect against similar possible future issues. The core issue of actor ID bypass due to unrooted regexes for the identified repositories was remedied within 48 hours of the initial publication. Additional restrictions were implemented, including additional protection of Githubs that contained any other build or creesqueskential processes. in memory.”
“Additionally, AWS audited all other public build environments to ensure that no such issues exist across the AWS open source property. Finally, AWS audited the logs for all public build repositories as well as associated CloudTrail logs and determined that no other actor had taken advantage of the unrooted regex issue demonstrated by the Wiz research team.”
“AWS determined that the identified issue had no impact on the confidentiality or integrity of any customer environment or any AWS service.”
Wiz reported the misconfiguration to AWS in late August 2025, and the latter fixed it soon after. However, both companies recommend that users review their CI/CD configurations, anchor webhook regex filters, limit token privileges, and ensure that untrusted pull requests cannot trigger privileged build pipelines.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
