TL;DR
Wiz Research found a vulnerability in how AWS CodeBuild webhook filters were written that could let unauthenticated actors hijack builds and steal credentials. The flaw allowed practical account-registration attacks that could lead to full takeover of key AWS GitHub repositories; AWS has patched the issue and added new build-gating options.
What happened
Security researchers at Wiz disclosed a vulnerability they named CodeBreach after finding an unanchored regular-expression filter in AWS CodeBuild webhook settings. Several AWS-owned repositories that triggered builds on pull requests used an ACTOR_ID filter expressed as a regex without start (^) and end ($) anchors. That omission meant a user ID that merely contained an approved numeric ID could pass the filter. Wiz demonstrated this by racing to register GitHub bot accounts (via the GitHub App manifest flow) whose numeric IDs contained trusted maintainer IDs, then opening pull requests that triggered privileged builds. Because CodeBuild build environments keep GitHub credentials in memory, a compromised build can expose those credentials and enable repository takeover. Wiz reported the issue to AWS; AWS implemented fixes and global hardening steps, including a new Pull Request Comment Approval build gate.
Why it matters
- CI/CD misconfigurations can enable supply-chain attacks that affect many downstream projects reliant on widely used libraries.
- Compromised builds can leak credentials from build environment memory, giving attackers repository-level privileges.
- The vulnerability affected core AWS repositories including the AWS JavaScript SDK, increasing potential blast radius across applications and services that depend on them.
- This case follows a pattern of high-impact incidents caused by subtle pipeline or webhook errors, underscoring the need for stronger CI/CD safeguards.
Key facts
- Wiz Research discovered the issue and responsibly disclosed it to AWS.
- The root cause was an unanchored regex in CodeBuild webhook ACTOR_ID filters; two missing characters (start ^ and end $ anchors) allowed partial matches.
- Wiz used the GitHub App manifest flow to create bot accounts en masse and win a race to register IDs containing trusted maintainer IDs, enabling forged build triggers.
- Affected AWS repositories identified by Wiz included aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry.
- A successful exploit could let attackers inject malicious code into builds and steal credentials from CodeBuild memory, enabling repository takeover.
- AWS applied fixes and added global hardening measures to CodeBuild; a notable mitigation is the Pull Request Comment Approval build gate.
- Wiz published mitigation recommendations for CodeBuild users, including anchoring regex filters, using the new approval gate, and tightening GitHub token usage.
- Wiz provided a pre-built query for its customers to find CodeBuild projects that trigger builds from untrusted pull requests.
What to watch next
- Adoption rate and operational impact of AWS's new Pull Request Comment Approval build gate.
- Whether other public repositories or third-party projects are found to use similarly unanchored filters.
- not confirmed in the source: Whether this vulnerability was used in the wild beyond Wiz's research demonstrations.
Quick glossary
- AWS CodeBuild: A managed continuous-integration service that runs build jobs in response to repository events like commits or pull requests.
- Webhook filter: A rule set that inspects event metadata to decide whether an incoming repository event should trigger a build or workflow.
- Regex anchors (^, $): Special characters in regular expressions that assert the start (^) or end ($) of a string, ensuring exact matches rather than substring matches.
- Pull request: A mechanism for proposing and reviewing code changes from one branch or fork before merging into a target repository.
Reader FAQ
Did attackers actually compromise the AWS Console or customer accounts?
not confirmed in the source
Do downstream users of affected AWS libraries need to take immediate action?
The source states no immediate action is required for downstream consumers of the affected repositories.
Has AWS fixed the issue?
Yes. AWS remediated the reported vulnerability and implemented global hardening measures in CodeBuild, including a Pull Request Comment Approval build gate.
What concrete mitigations should CodeBuild users apply?
Recommendations include enabling the Pull Request Comment Approval gate, anchoring webhook regex patterns, using CodeBuild-hosted runners or fine-grained PATs with minimal permissions, and considering a dedicated unprivileged GitHub account for integrations.
Wiz Research uncovered CodeBreach, a critical vulnerability that placed the AWS Console supply chain at risk. The issue allowed a complete takeover of key AWS GitHub repositories – most notably…
Sources
- Supply Chain Vuln Compromised Core AWS GitHub Repos & Threatened the AWS Console
- A simple CodeBuild flaw put every AWS environment at risk
- CodeBuild Flaw Put AWS Console Supply Chain At Risk
- Advisories
Related posts
- Multiple CVEs in Svelte ecosystem prompt urgent package upgrades
- GitHub incident posted on status page; subscriptions available, details missing
- Researchers warn Fast Pair flaw lets attackers hijack Bluetooth audio