AWS Latest Bulletins
Follow
[Redirected] Memory Dump Issue in AWS CodeBuild
AWS CodeBuild, a continuous integration service, has a security vulnerability that allows for unapproved code modification. Security researchers found that a malicious Pull Request could lead to the extraction of repository access tokens through a memory dump within the CodeBuild environment. If these tokens have write permissions, an attacker could inject harmful code into the repository. This issue affects all AWS regions where CodeBuild is used. The vulnerability was confirmed to have been exploited to extract access tokens for AWS Toolkit for Visual Studio Code and AWS SDK for .NET repositories, with CVE-2025-8217 assigned. CodeBuild requires repository credentials for various operations like accessing content and creating webhooks. Obtaining these credentials could grant attackers elevated permissions. Customers are advised to review git logs for suspicious activity related to CodeBuild credentials. AWS has implemented additional protections against memory dumps in container builds using unprivileged mode. However, due to the nature of build environments executing code from contributors, AWS strongly recommends against using automatic Pull Request builds from untrusted contributors. For public repositories that need to support automated builds from untrusted sources, using self-hosted GitHub Actions runners in CodeBuild is recommended as this feature is not affected by the vulnerability.
