Bulletin ID: AWS-2025-016
Scope: AWS
Content Type: Important
Release Date: 2025/07/25 6:00 PM PDT

Description

AWS CodeBuild is a fully managed on-demand continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.

Security researchers reported a CodeBuild issue that could be leveraged for unapproved code modification absent sufficient repository controls and credential scoping. The researchers demonstrated how a threat actor could submit a Pull Request (PR) that, if executed through an automated CodeBuild build process, could extract the source code repository (e.g. GitHub, BitBucket, or GitLab) access token through a memory dump within the CodeBuild build environment. If the access token has write permissions, the threat actor could commit malicious code to the repository. This issue is present in all regions for CodeBuild.

During our investigation, we identified this technique was leveraged by a threat actor who extracted the source code repository access token for the AWS Toolkit for Visual Studio Code and AWS SDK for .NET repositories. We have assigned CVE-2025-8217 for this, please refer to the AWS Security Bulletin AWS-2025-015 for additional information.

Source code repository credentials are required in CodeBuild to access repository content, create webhooks for automated builds, and execute the build on your behalf. If a PR submitter obtains CodeBuild's repository credentials, they could gain elevated permissions beyond their normal access level. Depending on the permissions customers grant in CodeBuild, these credentials might allow elevated privileges like webhook creation, which CodeBuild requires to integrate with source code repositories and set up automated builds, or commit code to the repository.

To determine if this issue was leveraged by an untrusted contributor, we recommend reviewing git logs, e.g. GitHub logs, and look for anomalous activity of the credentials granted to CodeBuild.

We will update this bulletin if we have additional information to share.

Resolution

CodeBuild has included additional protections against memory dumps within container builds using unprivileged mode. However, because builds execute code committed by contributors in the build environment, they have access to anything the build environment has access to. Therefore, we strongly recommend customers do not use automatic PR builds from untrusted repository contributors. For public repositories that want to continue to support automatic builds of untrusted contributions, we advise using the self-hosted GitHub Actions runners feature in CodeBuild as it is not impacted by this issue.

To disable automatic builds of PR from untrusted contributors, take any of the following approaches:

1. Disable webhook builds by unchecking "Rebuild every time a code change is pushed to this repository" in the CodeBuild console, or
2. Set a webhook event filter to not allow automatic builds from pull request events, or
3. Set a webhook actor filter to allow pull requests builds from trusted users only

If customers use the automatic build feature on PRs for untrusted contributors, and the credentials or access token provided to the CodeBuild environment have write permissions, we recommend rotating those credentials. In general, we recommend reviewing write permissions and revoking them unless absolutely necessary.

References

CVE-2025-8217
AWS-2025-015

Acknowledgement

We would like to thank the researchers from the Institute of Information Engineering, Chinese Academy of Sciences for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.