A critical misconfiguration in Amazon Web Services CodeBuild could have allowed attackers to take control of AWS-managed GitHub repositories including the AWS JavaScript SDK. The flaw, codenamed CodeBreach, was fixed in September 2025 and affected four repositories.
KEY FACTS
- Incident Misconfigured CodeBuild webhook actor ID regex allowed untrusted builds
- Affected aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, awslabs/open-data-registry
- Impact Potential exposure of a Personal Access Token with admin rights for aws-sdk-js-v3
- Remediation Fixed in September 2025 with credential rotations and additional mitigations
In a technical analysis by Wiz, researchers Yuval Avrahami and Nir Ohfeld said attackers could inject malicious code into build processes to enable platform-wide compromise affecting applications that depend on the SDK.
The flaw stemmed from webhook filters that used unanchored regular expressions. Missing start and end anchors allowed any GitHub user ID that contained an approved ID as a substring to trigger builds. The report noted GitHub numeric IDs are assigned sequentially which made it possible to predict or engineer matching IDs.
An attacker could use automated GitHub Apps to create bot users and generate a target actor ID. Triggering a build could expose a Personal Access Token for an automation account that had full admin privileges for the aws-sdk-js-v3 repository. With that access an actor could push code to main approve pull requests and exfiltrate repository secrets.
The company remediated the issue in September 2025 rotated affected credentials and applied further safeguards to its build processes. The report recommends anchoring regex filters enabling pull request comment approval gates using CodeBuild-hosted runners and issuing unique least-privilege tokens per project.
WHY IT MATTERS
CI/CD pipelines can expose privileged credentials and trusted repositories to untrusted inputs. This finding shows how a small misconfiguration in build automation can enable supply chain attacks that affect many projects and users.