- Wiz discovered a misconfiguration of AWS CodeBuild allowing unauthorized privileged builds, dubbed “CodeBreach.”
- Flaw Risked Exposing GitHub Tokens and Enabling Supply Chain Attacks in AWS Projects
- AWS resolved the issue within 48 hours; no abuse detected, users are advised to secure CI/CD configurations
A critical misconfiguration in Amazon Web Services’ (AWS) CodeBuild service has exposed several AWS-managed GitHub repositories to potential supply chain attacks, experts have warned.
Security researchers Wiz discovered the flaw and reported it to AWS, helping to remedy the issue.
AWS CodeBuild is a fully managed Amazon Web Services service that automatically builds and packages source code as part of a CI/CD pipeline. It runs build jobs in isolated environments and scales on demand.
Code violation
Wiz’s report describes misconfiguration in how AWS CodeBuild checked which GitHub users were allowed to trigger build tasks. The system used a model that did not require an exact match, allowing attackers to predict and obtain new credentials containing trusted credentials as substrings, bypassing the filter and triggering privileged builds.
This allowed untrusted users to start privileged build processes which could, in turn, expose powerful GitHub access tokens stored in the build environment.
The vulnerability, named “CodeBreach,” could have enabled a platform-wide compromise, potentially affecting countless AWS applications and customers by distributing hijacked software updates.
Fortunately, it appears that Wiz detected it before any malicious actors, as there is no evidence that CodeBreach was abused in the wild.
AWS has apparently fixed misconfigured webhook filters, credential rotation, secure build environments, and “added additional safeguards.” The company also said that the problem was specific to the project and not a fault in the CodeBuild service itself.
“AWS has investigated all concerns reported by the Wiz research team in ‘AWS Console Supply Chain Infiltration: Hijacking Core AWS GitHub Repositories via CodeBuild.'” it said in a statement shared with Wiz.
“In response, AWS has taken a number of steps to mitigate all issues discovered by Wiz, as well as additional measures and mitigations to protect against potential similar future issues. The primary issue of Actor ID bypass due to unanchored regular expressions for identified repositories was mitigated within 48 hours of first disclosure. Additional mitigations have been implemented, including additional protections of all build processes that contain tokens Github or any other credentials in memory.
“Additionally, AWS has audited all other public build environments to ensure that no such issues exist in the AWS open source domain. Finally, AWS audited the logs of all public build repositories as well as the associated CloudTrail logs and determined that no other actors had taken advantage of the unanchored regular expression issue demonstrated by the Wiz research team.
“AWS has determined that the identified issue has no impact on the confidentiality or integrity of any customer environment or AWS service.”
Wiz reported the misconfiguration to AWS in late August 2025, and AWS corrected it shortly after. However, both companies recommend that users review their CI/CD configurations, anchor webhooks regex filters, limit token privileges, and ensure that untrusted pull requests cannot trigger privileged build pipelines.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
