この日はセキュリティ速報が1件公開された。AWS CodeBuild のメモリダンプに関する問題 (AWS-2025-016) で、リポジトリ制御や認証情報のスコープが不十分な場合、悪意あるプルリクエストを通じてビルド環境のメモリダンプからソースコードリポジトリ (GitHub、BitBucket、GitLab等) のアクセストークンが抽出され得るというもの。実際に脅威アクターがこの手法を用い、AWS Toolkit for VS Code および AWS SDK for .NET のリポジトリのトークンを抽出した事例が確認され、CVE-2025-8217 が割り当てられた (速報AWS-2025-015参照)。CodeBuild は非特権モードでメモリダンプに対する保護を追加したが、AWS は信頼できない貢献者からの自動PRビルドを使用しないよう強く推奨している。
AWS CodeBuildのメモリダンプ問題 (AWS-2025-016): 悪意あるPRからリポジトリアクセストークンを抽出可能。全リージョンが対象で、実際の悪用事例も確認
対策と推奨事項: 非特権モードでの保護を追加。信頼できない貢献者の自動PRビルドは避け、公開リポジトリではセルフホスト型GitHub Actionsランナーの利用を推奨
Bulletin ID: AWS-2025-016
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/07/25 6:00 PM PDT
Description:
AWS CodeBuild is a fully managed on-demand continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
Security researchers reported a CodeBuild issue that could be leveraged for unapproved code modification absent sufficient repository controls and credential scoping. The researchers demonstrated how a threat actor could submit a Pull Request (PR) that, if executed through an automated CodeBuild build process, could extract the source code repository (e.g. GitHub, BitBucket, or GitLab) access token through a memory dump within the CodeBuild build environment. If the access token has write permissions, the threat actor could commit malicious code to the repository. This issue is present in all regions for CodeBuild.
During our investigation, we identified this technique was leveraged by a threat actor who extracted the source code repository access token for the AWS Toolkit for Visual Studio Code and AWS SDK for .NET repositories. We have assigned CVE-2025-8217 for this, please refer to the AWS Security Bulletin AWS-2025-015 for additional information.
Source code repository credentials are required in CodeBuild to access repository content, create webhooks for automated builds, and execute the build on your behalf. If a PR submitter obtains CodeBuild's repository credentials, they could gain elevated permissions beyond their normal access level. Depending on the permissions customers grant in CodeBuild, these credentials might allow elevated privileges like webhook creation, which CodeBuild requires to integrate with source code repositories and set up automated builds, or commit code to the repository.
To determine if this issue was leveraged by an untrusted contributor, we recommend reviewing git logs, e.g. GitHub logs, and look for anomalous activity of the credentials granted to CodeBuild.
We will update this bulletin if we have additional information to share.
Resolution:
CodeBuild has included additional protections against memory dumps within container builds using unprivileged mode. However, because builds execute code committed by contributors in the build environment, they have access to anything the build environment has access to. Therefore, we strongly recommend customers do not use automatic PR builds from untrusted repository contributors. For public repositories that want to continue to support automatic builds of untrusted contributions, we advise using the self-hosted GitHub Actions runners feature in CodeBuild as it is not impacted by this issue.