A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider’s own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.
The vulnerability has been codenamed CodeBreach by cloud security company Wiz. The issue was fixed by AWS in September 2025 following responsible disclosure on August 25, 2025.
“By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account,” researchers Yuval Avrahami and Nir Ohfeld said in a report shared with The Hacker News.
The flaw, Wiz noted, is the result of a weakness in the continuous integration (CI) pipelines that could have enabled unauthenticated attackers to breach the build environment, leak privileged credentials like GitHub admin tokens, and then use them to push malicious changes to the compromised repository – creating a pathway for supply chain attacks.
Put differently, the issue undermines webhook filters introduced by AWS to ensure that only certain events trigger a CI build. For example, AWS CodeBuild can be configured such that a build is triggered only when code changes are committed to a specific branch or when a GitHub or GitHub Enterprise Server account ID (aka ACTOR_ID or actor ID) matches the regular expression pattern. These filters serve to secure against untrusted pull requests.
The misconfiguration impacted the following AWS-managed open source GitHub repositories, which are configured to run builds on pull requests –
- aws-sdk-js-v3
- aws-lc
- amazon-corretto-crypto-provider
- awslabs/open-data-registry
The four projects, which implemented an ACTOR_ID filter, suffered from a “fatal flaw” in that they failed to include two characters to ensure – namely the start ^ and end $ anchors – necessary to yield an exact regular expression (regex) match. Instead, the regex pattern allowed any GitHub user ID that was a superstring of an approved ID (e.g., 755743) to bypass the filter and trigger the build.
Because GitHub assigns numeric user IDs sequentially, Wiz said it was able to predict that the new user IDs (currently 9-digits long) would “eclipse” a trusted maintainer’s six-digit ID approximately every five days. This insight, coupled with the use of GitHub Apps to automate app creation (which, in turn, creates a corresponding bot user), made it possible to generate a target ID (e.g., 226755743) by triggering hundreds of new bot user registrations.
Armed with the actor ID, an attacker can now trigger a build and obtain the GitHub credentials of the aws-sdk-js-v3 CodeBuild project, a Personal Access Token (PAT) belonging to the aws-sdk-js-automation user, which has full admin privileges over the repository.
The attacker can weaponize this elevated access to push code directly to the main branch, approve pull requests, and exfiltrate repository secrets, eventually setting the stage for supply chain attacks.
“The above repositories’ configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs were insufficient, allowing a predictably acquired actor ID to gain administrative permissions for the affected repositories,” AWS said in an advisory released today.
“We can confirm these were project-specific misconfigurations in webhook actor ID filters for these repositories and not an issue in the CodeBuild service itself.”
Amazon also said it remediated the identified issues, along with implementing additional mitigations, such as credential rotations and steps to secure the build proce
