Full Report
A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability has been codenamed CodeBreach by cloud security company Wiz. The issue was fixed by AWS in September 2025 following responsible disclosure on
Analysis Summary
# Vulnerability: Critical Misconfiguration in AWS CodeBuild Affecting GitHub Repository Access (CodeBreach)
## CVE Details
- CVE ID: Not explicitly provided in the source, labeled internally as **CodeBreach**.
- CVSS Score: Not explicitly provided in the source (Severity implied as Critical due to potential for platform-wide compromise).
- CWE: CWE-16 (Configuration) or CWE-682 (Incorrect Calculation/Logic), related to insufficient regex validation.
## Affected Systems
- Products: AWS CodeBuild (specifically its integration with GitHub Webhook filters).
- Versions: AWS CodeBuild service itself was deemed *not* the issue, but specific configurations within customer-managed or AWS-managed GitHub repositories using CodeBuild CI pipelines were vulnerable.
- Configurations: AWS-managed open source GitHub repositories configured to trigger CodeBuild builds based on the GitHub `ACTOR_ID` using webhook filters lacking precise regex boundary anchors (`^` and `$`).
Affected AWS Repositories mentioned:
* `aws-sdk-js-v3`
* `aws-lc`
* `amazon-corretto-crypto-provider`
* `awslabs/open-data-registry`
## Vulnerability Description
The vulnerability stemmed from an insufficient configuration of AWS CodeBuild webhook filters used to secure continuous integration (CI) pipeline triggers from GitHub pull requests. Specifically, certain AWS-managed repositories used a regular expression (regex) filter on the `ACTOR_ID` (GitHub user ID) that was intended to match only specific trusted user IDs precisely. However, the regex patterns omitted the required start (`^`) and end (`$`) anchors. This omission allowed any actor ID that contained an approved numeric ID as a superstring to bypass the validation and trigger a build. Since GitHub user IDs are assigned sequentially, researchers could predict when the next user ID (e.g., 9 digits) would eclipse a trusted maintainer's ID (e.g., 6 digits). By creating a sufficient number of automated bot users via GitHub Apps, an attacker could eventually generate an ID that matched the vulnerable pattern, triggering a build and leading to the exfiltration of privileged credentials (like a Personal Access Token with admin rights for the repository).
## Exploitation
- Status: **Not exploited in the wild** (Confirmed by AWS).
- Complexity: **Medium** (Required knowledge of sequential GitHub ID assignment, use of GitHub Apps for automation, and prediction of future user IDs).
- Attack Vector: **Network** (Remote exploitation via triggering a GitHub webhook).
## Impact
- Confidentiality: **High** (Leakage of GitHub admin tokens/PATs, potential exfiltration of repository secrets).
- Integrity: **Critical** (Ability to inject malicious code/approve malicious changes directly into production branches of critical SDKs, enabling supply chain compromise).
- Availability: **Low to Medium** (Direct service availability was not the primary target, but compromise could lead to integrity issues affecting dependent services).
## Remediation
### Patches
- AWS fixed the underlying configuration issue in **September 2025**, subsequent to responsible disclosure on August 25, 2025.
- The fix involved correctly implementing the regex anchor characters (`^` and `$`) in the CodeBuild webhook filters to enforce exact matching of actor IDs for affected repositories.
- AWS also implemented additional mitigations including credential rotations and securing build processes containing GitHub tokens in memory.
### Workarounds
- The source implies that ensuring untrusted contributions do not trigger privileged CI/CD pipelines is key, likely by reviewing and correctly anchoring all regex patterns in webhook filters used by CodeBuild integrations.
## Detection
- Indicators of Compromise (IoCs): Exfiltration of GitHub admin tokens or PATs from CodeBuild environment variables or build logs; unauthorized code pushes to main branches of specified repositories (`aws-sdk-js-v3`, `aws-lc`, etc.) that do not correspond to documented developer activity.
- Detection Methods and Tools: Monitoring AWS CloudTrail for suspicious CodeBuild activity originating from untrusted GitHub actors; auditing CodeBuild webhook filter regex configurations for missing start (`^`) and end (`$`) anchors.
## References
- Vendor Advisory: AWS Security Bulletin (mentioned as having been released on the disclosure date).
- Researcher Report: wiz dot io slash blog slash wiz-research-codebreach-vulnerability-aws-codebuild (defanged).
- News Source: thehackernews dot com slash 2026 slash 01 slash aws-codebuild-misconfiguration-exposed-github-repos-to-potential-supply-chain-attacks dot html (defanged).