- Wiz discovered an AWS CodeBuild misconfiguration that allowed builds with unauthorized privileges, called “CodeBreach.”
- The flaw risked exposing GitHub tokens and enabling supply chain attacks across all AWS projects.
- AWS fixed the issue within 48 hours; no abuse detected, users urged to protect CI/CD configurations
A critical misconfiguration in the Amazon Web Services (AWS) CodeBuild service exposed several AWS-managed GitHub repositories to potential supply chain attacks, experts warned.
Wiz security researchers discovered the flaw and reported it to AWS, which helped fix the issue.
AWS CodeBuild is a fully managed Amazon Web Services service that automatically creates and packages source code as part of a CI/CD pipeline. Execute construction jobs in isolated environments and scale on demand.
Code violation
Wiz’s report describes how the misconfiguration occurred in the way AWS CodeBuild verified which GitHub users had permission to trigger build jobs. The system used a pattern that did not require an exact match, allowing attackers to predict and obtain new IDs that contained approved IDs as substrings, bypassing the filter and triggering privileged builds.
This allowed untrusted users to launch privileged build processes which, in turn, could expose powerful GitHub access tokens stored in the build environment.
The vulnerability, dubbed “CodeBreach,” could have allowed a platform-wide compromise, potentially impacting countless AWS applications and customers by distributing backdoored software updates.
Fortunately, it appears that Wiz caught it before any malicious actors, as there is no evidence that CodeBreach has been abused in the wild.
AWS apparently fixed misconfigured webhook filters, rotated credentials, secured build environments, and “added additional safeguards.” The company also stated that the issue was project-specific and not a flaw in the CodeBuild service itself.
“AWS investigated all reported concerns highlighted by the Wiz research team in ‘AWS Console Supply Chain Infiltration: Hijacking AWS GitHub Core Repositories via CodeBuild,'” it said in a statement shared with Wiz.
“In response, AWS took a number of steps to mitigate all of the issues discovered by Wiz, as well as additional measures and mitigations to protect against potential similar future issues. The primary issue of actor ID omission due to unpinned regular expressions for the identified repositories was mitigated within 48 hours of the first disclosure. Additional mitigations were implemented, including additional protections of all build processes that contain Github tokens or any other credentials in memory.
“In addition, AWS audited all other public build environments to ensure that no such issues exist across the entire AWS open source estate. Finally, AWS audited the logs of all public build repositories, as well as the associated CloudTrail logs, and determined that no other actors had exploited the unanchored regular expression issue demonstrated by the Wiz research team.
“AWS determined that the identified issue did not have any impact on the confidentiality or integrity of any customer environment or any AWS services.”
Wiz reported the misconfiguration to AWS in late August 2025, and the latter fixed it shortly after. However, both companies recommend users review their CI/CD configurations, pin webhook regex filters, limit token privileges, and ensure that untrusted pull requests cannot trigger privileged build channels.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
