A critical vulnerability in AWS CodeBuild's webhook filters allowed attackers to compromise AWS-managed GitHub repositories due to missing regex anchors in actor ID validation, risking supply chain attacks on core AWS services.
AWS recently addressed a critical security vulnerability in several official GitHub repositories managed by the cloud provider. Dubbed CodeBreach by security researchers at Wiz, this configuration flaw in AWS CodeBuild pipelines could have enabled attackers to hijack build processes and inject malicious code into projects including the AWS SDK for JavaScript v3 - a component bundled with the AWS Management Console.
Technical Breakdown of the Vulnerability
The vulnerability stemmed from improper regex implementation in CodeBuild's webhook filters. These filters were designed to restrict build triggers to specific GitHub users through an ACTOR_ID validation check. However, the regular expressions lacked start (^) and end ($) anchors, meaning any GitHub user ID containing the trusted ID as a substring would bypass restrictions.
For example:
- Intended pattern:
123456(exact match required) - Actual implementation:
.*123456.*(substring match)
Since GitHub user IDs are sequential integers, attackers could create accounts with IDs containing the trusted patterns. Researchers demonstrated this by:
- Creating automated GitHub Apps to obtain predictable user IDs
- Triggering CodeBuild jobs using these IDs
- Extracting privileged credentials from build environment memory
- Gaining administrative access to repositories
Affected Repositories
Four high-impact repositories were confirmed vulnerable:
- AWS SDK for JavaScript v3 (Core AWS client library)
- aws-lc (AWS Cryptography's TLS implementation)
- amazon-corretto-crypto-provider (Java cryptographic components)
- awslabs/open-data-registry (AWS public datasets catalog)
Attack Impact Potential
Successful exploitation could have enabled:
- Supply chain compromise of AWS SDK packages
- Malicious code injection into AWS Console components
- Credential theft from build environments
- Repository hijacking for persistent access
Mitigation Timeline
AWS took the following actions:
| Date | Action |
|---|---|
| Aug 25 | Vulnerability reported by Wiz |
| Aug 27 | Regex filters anchored (^/$ added) aws-sdk-js-automation token revoked |
| Sept | Hardening against credential leakage via memory dumping |
| Jan 15 | Public disclosure |
Technical Context and Patterns
This incident follows similar CI/CD compromise patterns:
- Nx S1ngularity Attack: CI misconfiguration enabling malicious package publishing
- Amazon Q VS Code Extension Attack (July 2025): CodeBuild abuse for supply chain attacks
Security Recommendations
- Implement strict regex anchoring (
^value$) for all allow-list validations - Isolate privileged build environments from contributor workflows
- Rotate automation tokens regularly
- Implement credential hardening against memory inspection
- Audit CI/CD pipelines for similar substring matching flaws
Corey Quinn, Chief Cloud Economist at The Duckbill Group, noted: "This marks the second major CodeBuild security lapse within a year. Organizations should reevaluate their CI/CD security controls even when using managed services."
Comments
Please log in or register to join the discussion