CodeBreach: Missing Regex Anchors Exposed AWS Console to Takeover

A seemingly minor misconfiguration in a regular expression could have allowed attackers to seize control of critical AWS infrastructure, potentially compromising millions of cloud environments. Security researchers at Wiz Research have uncovered CodeBreach, a vulnerability in the supply chain of the AWS Console that stemmed from just two missing characters in a build script.

The flaw placed key AWS GitHub repositories at risk of a complete takeover, most notably the AWS JavaScript SDK—a core library that powers the AWS Console itself.

The vulnerability was found in how AWS’s CodeBuild CI pipelines handled pull requests. To prevent unauthorized users from triggering builds, the projects used an ACTOR_ID filter, intended to be an allow-list of approved maintainers.

However, the implementation had a fatal flaw. The filter used a pipe-separated list of IDs (e.g., 123|456|789) which was interpreted as a regular expression. Crucially, the pattern lacked “start ^ and end $ anchors” .

“The issue was simple but critical,” the report explains. “Without the start ^ and end $ anchors to require an exact match, a regex engine doesn’t look for a string that perfectly matches the pattern, but one that merely contains it” .

This meant that any GitHub user whose ID contained the ID of a trusted maintainer could bypass the filter and trigger a privileged build.

Wiz researchers realized that because GitHub assigns user IDs sequentially, they could predict when a “superstring” ID would become available—a window of opportunity they dubbed an “ID Eclipse”.

By monitoring the creation of new GitHub IDs and launching a coordinated registration burst, they successfully claimed a user ID that shadowed a trusted maintainer for the AWS JavaScript SDK.

With this account, they submitted a pull request that bypassed the filter. “Moments later, we had successfully obtained the GitHub credentials of the aws-sdk-js-v3 CodeBuild project” by dumping the build environment’s memory.

The compromised credentials granted full administrative control over the repository. An attacker could have injected malicious code into the SDK, which is “released on a weekly basis to GitHub and then to NPM”.

The potential blast radius was massive. “Based on our analysis, a staggering 66% of cloud environments include the JavaScript SDK,” the report notes. “Among its users is perhaps the cloud’s most critical application: The AWS Console itself” .

A successful supply chain attack could have compromised the AWS Console for every user, “threatening every AWS account”.

Upon disclosure, AWS acted swiftly. The cloud giant “mitigated within 48 hours of first disclosure” by fixing the regex patterns and implementing broader hardening measures.

“AWS determined there was no impact of the identified issue on the confidentiality or integrity of any customer environment or any AWS service,” the company stated.

To prevent future incidents, AWS has introduced a new Pull Request Comment Approval build gate in CodeBuild, offering organizations “a simple and secure path to prevent untrusted builds”.

Wiz emphasizes that this incident is part of a growing trend of attackers targeting build pipelines. “This vulnerability is a textbook example of why adversaries target CI/CD environments: a subtle, easily overlooked flaw that can be exploited for massive impact”.

Organizations are urged to review their own CodeBuild configurations and ensure that “untrusted contributions should never trigger privileged pipelines”.

Related Posts:

• Critical OAuth2-Proxy Flaw (CVE-2025-54576, CVSS 9.1) Allows Authentication Bypass via Query Parameters
• AWS IAM Roles Anywhere: A Potential Backdoor for Attackers?
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn