AWS CodeBuild vulnerability allowed GitHub repo takeover, Wiz researchers say

According to The Register, Wiz security researchers discovered a critical misconfiguration in AWS's CodeBuild service that could have led to a complete takeover of AWS's own GitHub repositories and posed a risk to every AWS environment globally.

The vulnerability, dubbed CodeBreach by Wiz, was found in AWS's CodeBuild service, a CI tool often connected to GitHub. A missing anchor in webhook filters allowed attackers to bypass security checks by creating GitHub user IDs that contained approved IDs. Researchers demonstrated this by gaining a trusted maintainer ID for the AWS SDK for JavaScript repository. This could have allowed an attacker to inject malicious code into the SDK, which is used by 66% of cloud environments, including the AWS Console itself. The attack vector leveraged standard developer workflows, making it accessible to intermediate developers and posing a significant supply chain risk.

This incident highlights a universal challenge in CI/CD security: the risk of excessive privileges granted to external contributors. AWS fixed the issue in September 2025 and stated that no customer environments were impacted.

"AWS took a number of steps to mitigate all issues discovered by Wiz, as well as additional steps and mitigations to protect against similar possible future issues. The core issue of actor ID bypass due to unanchored regexes for the identified repos was mitigated within 48 hours of first disclosure," said an AWS spokesperson. 

Source: The Register