Kudelski Security Exposes Critical CodeRabbit Vulnerability: RCE, Secret Leaks, and Access to 1M Repositories

Kudelski Security has published a detailed write-up of a critical vulnerability discovered in CodeRabbit, the most installed AI-assisted GitHub application, revealing how an attacker could obtain remote code execution (RCE), exfiltrate sensitive API keys, and gain read/write access to over one million repositories.

The research began after a presentation at 38C3, where Kudelski researchers had disclosed flaws in another AI code review tool. When prompted to investigate CodeRabbit, they found it a ripe target due to its widespread adoption.

CodeRabbit integrates with GitHub to provide AI-driven code reviews and suggestions. Once installed, it gains read and write permissions to repositories. Kudelski noted:

“As of writing, the CodeRabbit GitHub app was installed over 80,000 times… The CodeRabbit website states that they review 1M repositories.”

This wide reach meant that any compromise could have catastrophic consequences for the software supply chain.

The vulnerability stemmed from CodeRabbit’s support for external static analysis tools, including Rubocop, a Ruby linter. Researchers discovered that Rubocop could be configured via .rubocop.yml to load arbitrary Ruby extensions.

By crafting a malicious pull request with a .rubocop.yml and ext.rb file, they were able to execute arbitrary Ruby code on CodeRabbit’s servers.

“After we created our malicious PR, CodeRabbit ran Rubocop on our code, which executed our malicious code and sent its environment variables to our server.”

The exfiltrated environment variables included highly sensitive secrets such as:

• Anthropic & OpenAI API keys
• GitHub App private key, client ID, and client secret
• PostgreSQL credentials
• Pinecone, Langchain, and Courier API keys
• Jira and GitLab tokens

Among the leaked data was the private key of the CodeRabbit GitHub App, which effectively unlocked the door to every repository using CodeRabbit.

“This private key can be used to authenticate to the GitHub REST API and act on behalf of the CodeRabbit GitHub app… This private key gives us write access to 1 million repositories!”

With this access, a malicious actor could:

• Clone private repositories, exposing proprietary source code.
• Inject malicious commits or alter Git history — a direct software supply chain attack.
• Replace GitHub release assets with malware, distributing trojans via trusted repositories.
• Exploit GitHub Actions secrets for lateral movement.

The researchers even demonstrated how to generate GitHub API tokens programmatically, enabling persistent exploitation.

To their credit, CodeRabbit reacted swiftly. According to Kudelski:

“They confirmed the vulnerability and immediately began remediation, starting by disabling Rubocop until a fix was in place. All potentially impacted credentials and secrets were rotated within hours. A permanent fix was deployed to production.”

Additionally, CodeRabbit conducted a full audit, automated sandbox enforcement, and implemented hardened deployment gates to prevent recurrence.

Kudelski noted that simply preventing arbitrary code execution in third-party tools may be impossible, so isolation is essential:

“Instead, it would be best to assume that the user may be able to run untrusted code through these tools. So, running them in an isolated environment, with only the minimum information required… would be much better.”

They also recommend enforcing outbound network restrictions to prevent data exfiltration, especially for services that should not require external communication.

Related Posts:

• Chrome Extension Security Alert: Hidden API Keys Expose 21M+ Users to Risk!
• GitHub Security Alerts has detected over 4 million vulnerabilities
• GitHub Now Supports Google Social Login: Streamlined Sign-in for Developers