An Amazon Web Services (AWS) CodeBuild critical misconfiguration could allow an attacker to fully compromise all of the AWS-managed GitHub repositories including one of the most popular repositories, the AWS JavaScript SDK, and put the security of every AWS environment worldwide at risk.
Cloud security company Wiz has coined the term CodeBreach for what they term "a vulnerability in AWS CodeBuild." Wiz disclosed the issue responsibly to AWS on August 25, 2025, and AWS worked to mitigate the impact of CodeBreach starting September 2025.
According to Wiz researchers Yuval Avrahami, and Nir Ohfeld, "Exploiting CodeBreach gives an attacker the opportunity to inject malicious code that would provide them with the opportunity to launch a successful attack across the entire AWS environment platform."
What Happened
CodeBreach was the result of misconfigured CI webhook filters in AWS CodeBuild pipelines across several AWS open-source projects. These CI webhook filters were designed to allow only trusted (GitHub) users to trigger these privileged builds. The filters utilized an improperly configured regular expression within the trigger source GitHub URLs. The regular expression improperly omitted the "^" (start of) and "$" (end of) anchors, which ultimately made it possible for attackers to bypass this protection by submitting GitHub user IDs that were a substring of a trusted ID within the GitHub user ID field.
As part of their sequentially generated numeric GitHub user ID (for example: 1000, 1001, 1002...), an attacker would have been able to predict and generate GitHub user IDs for every trusted maintainer, allowing them to trigger inappropriately privileged builds without authorization.
Affected AWS Repositories
The following GitHub repositories managed by AWS were affected:
1. aws-sdk-js-v3
2. aws-lc
3. amazon-corretto-crypto-provider
4. awslabs/open-data-registry
It is possible to run CodeBuild jobs for each of these repositories whenever pull requests are submitted; during this time, high-privileged GitHub Personal Access Tokens (PATs) are revealed to users whenever they run their builds.
Impact and Attack Potential
If an attacker had the capability to exploit this vulnerability, they could have:
1. gotten their hands on GitHub Admin Tokens
2. pushed malicious code to the main branch of a repository
3. approved their own pull requests
4. extracted sensitive secrets from the repository
5. conducted large-scale supply chain attacks
The use of AWS SDKs worldwide created the potential for a single malicious commit to cause millions of applications and AWS Console integrations, including through AWS SDKs, to be compromised.
AWS Response
AWS's position on this incident was that it was caused by the specific configuration of a particular project's code and settings; there was no problem with the CodeBuild service itself.
The following are a few of the solutions utilized by AWS to mitigate the risk posed by the described misconfiguration:
1. corrected the regular expressions for the webhook filters
2. rotated any exposed credentials
3. hardened the continuous integration (CI) build environment
4. secured in-memory secrets
5. performed a thorough review of the CI trigger logic
According to AWS, there was no evidence that any of these repositories was used for malicious purposes at this time.
Recommendations for Securing Your CI/CD Pipeline
Wiz and AWS suggest the following:
1. Ensure that webhook regex filters are anchored on both ends
2. Do not enable privilege builds via untrusted pull requests
3. Make use of Pull Request Comment Approval gates
4. Assign each CI project a unique, least-privilege Personal Access Token (PAT)
5. Use dedicated, unprivileged CI accounts
6. Provide only the minimum required access when using a GitHub Token
"The findings from this vulnerability are an example of the reason adversaries attack CI/CD environments," Wiz researchers said.
Why Is It Important To You?
CodeBreach demonstrates that CI/CD pipelines have become a target for many attacks. Examples of other similar vulnerabilities with GitHub Actions include pull_request_target, where Google, Microsoft and NVIDIA projects were previously at risk.
In addition, if you miss just one configuration setting within a CI/CD system, there is potential for compromise of an entire ecosystem.
Source: The Hacker News
January 16, 2026
January 16, 2026
January 16, 2026
November 09, 2025
December 30, 2025
January 15, 2026
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
