- Wiz discovered AWS CodeBuild misconfiguration enabling unauthorized privileged builds, dubbed “CodeBreach.”
- Flaw risked exposing GitHub tokens and enabling supply chain attacks across AWS projects.
- AWS fixed the issue within 48 hours; no abuse detected, users urged to secure CI/CD setups.
A significant misconfiguration in Amazon Web Services (AWS) CodeBuild has raised alarms regarding potential supply chain attacks on several AWS-managed GitHub repositories.
Security researchers Wiz identified the flaw and promptly reported it to AWS, facilitating a swift resolution.
AWS CodeBuild is a fully managed service that automates the building and packaging of source code as part of a CI/CD pipeline, operating in isolated environments and scaling as needed.
CodeBreach
The report from Wiz details how the misconfiguration allowed AWS CodeBuild to inadequately verify which GitHub users could initiate build jobs. The system employed a pattern that did not require exact matches, enabling attackers to predict and obtain new IDs containing approved IDs as substrings, thus bypassing the filter and triggering privileged builds.
This vulnerability permitted untrusted users to initiate privileged build processes, potentially exposing sensitive GitHub access tokens stored within the build environment.
Named “CodeBreach,” this flaw could have led to a platform-wide compromise, affecting numerous applications and AWS customers by distributing backdoored software updates.
Fortunately, Wiz detected the issue before any malicious exploitation occurred, as there is no evidence of CodeBreach being abused.
AWS has since rectified the misconfigured webhook filters, rotated credentials, secured build environments, and implemented additional safeguards. The company clarified that the issue was project-specific and not a flaw within the CodeBuild service itself.
“AWS investigated all reported concerns highlighted by Wiz’s research team in ‘Infiltrating the AWS Console Supply Chain: Hijacking Core AWS GitHub Repositories via CodeBuild,’” the company stated.
“In response, AWS took several steps to mitigate all issues discovered by Wiz, as well as additional measures to protect against similar future vulnerabilities. The core issue of actor ID bypass due to unanchored regexes for the identified repositories was mitigated within 48 hours of first disclosure. Further protections were also implemented for all build processes containing GitHub tokens or other credentials in memory.
“Additionally, AWS audited all other public build environments to ensure no similar issues exist across the AWS open-source ecosystem. Finally, AWS reviewed the logs of all public build repositories and associated CloudTrail logs, confirming that no other actors exploited the unanchored regex issue identified by the Wiz research team.
“AWS determined there was no impact on the confidentiality or integrity of any customer environment or AWS service due to the identified issue.”
Wiz reported the misconfiguration to AWS in late August 2025, and it was promptly addressed. Both companies recommend users review their CI/CD configurations, anchor webhook regex filters, limit token privileges, and ensure that untrusted pull requests cannot trigger privileged build pipelines.