Codebuild data exfiltration

Published Thu, Feb 3rd, 2022


When customers attach a CodeBuild project to their VPC, CodeBuild’s build container will apply the same network routing rules as defined in the customer’s VPC Security Group. However, CodeBuild EC2 hosts retained Internet connectivity via AWS's own VPC, thus allowing an attacker to bypass any custom VPC rules the customer had set up, and use CodeBuild for data exfiltration from the targeted environment. AWS later updated the CodeBuild service to block all outbound network access for newly created CodeBuild projects which contain a customer-defined VPC configuration.

Affected Services



None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Feb 3rd, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Aidan Steele