HN Distilled

Essential insights from Hacker News discussions

How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos

Original Article

Hacker News Discussion

This discussion revolves around a security vulnerability discovered in CodeRabbit, a tool that reviews code for potential issues. The vulnerability allowed arbitrary code execution within CodeRabbit's environment, with a particular focus on how sensitive credentials, like GitHub API private keys, were handled.

Here are the key themes that emerged:

Critical Handling of Environment Variables and Secrets Management

A central point of contention is CodeRabbit's (and by extension, other similar services') practice of exposing sensitive credentials, specifically GitHub API private keys, via environment variables to tools that process untrusted user code. Many users expressed shock and concern over this approach, citing it as a fundamental security misstep.

  • "Environment variables used to be standard practice for API keys. It seems like every time someone finds a way to get a key, standard practice gets more convoluted." - immibis
  • Progbits highlights two major issues: "1. You don't send the private key to github like an API key, you use it to sign requests. So there is no reason for any application, even your trusted backend, to ever see that key. Just have it request signatures from a vault, and the vault can log each access for audit etc. 2. Even if you really trust your backend and give it the key, why the fuck does the sandboxed runner get it?" - progbits
  • tadfisher reinforces this by quoting GitHub's own documentation: "The Github API secret key should never be exposed in the environment, period; you're supposed to keep the key in an HSM and only use it to sign the per-repo access token."
  • Another user states, "It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff." - thyrfa referencing GitHub's documentation.
  • neandrake comments, "However their response doesn't remediate putting secrets into environment variables in the first place - that is apparently acceptable to them and sets off a red flag for me."

Insufficient Sandboxing and Isolation

The incident revealed that one of CodeRabbit's tools, Rubocop, was not properly sandboxed, allowing the exploit to access sensitive environment variables. This led to a broader discussion about the necessity and common failures of sandboxing in systems that process external code.

  • The core of the exploit is concisely described: "While running the exploit, CodeRabbit would still review our pull request and post a comment on the GitHub PR saying that it detected a critical security risk, yet the application would happily execute our code because it wouldn’t understand that this was actually running on their production system." - ketzo
  • "Beautiful that CodeRabbit reviewed an exploit on its own system!" - progforlyfe captures the ironic nature of the situation.
  • Regarding the failed isolation: "we learned from them that they had an isolation mechanism in place, but Rubocop somehow was not running inside it." - elpakal quoting CodeRabbit's disclosure.
  • "The article seems to imply that something of the sort had actually been attempted prior to the incident, but was either incomplete or buggy. I'm not sure the details would be entirely exculpatory, but unless you want to flatly disbelieve their statements, 'not considered' isn't quite right." - wging on the state of their isolation mechanisms.
  • "If they're anything like the typical web-startup "developing fast but failing faster", they probably are using docker containers for 'security isolation'." - diggan speculates on the nature of their isolation.
  • "What a bizarre world we're living in, where computers can talk about how they're being hacked while it's happening." - ketzo on the surreal nature of the event.
  • morgante emphasizes the fundamental principle: "Rule #1 of building any cloud platform analyzing user code is that you must run analyzers in isolated environments. Even beyond analysis tools frequently allowing direct code injection through plugins, linters/analyzers/compiler are complex software artifacts with large surface areas for bugs. You should ~never assume it's safe to run a tool against arbitrary repos in a shared environment."

Concerns about AI's Reliability and Intelligence

Some commentators used the incident as an example to question the current capabilities and "intelligence" of AI systems, suggesting they are merely sophisticated guessing machines.

  • "Another proof that AI is not smart, it’s just really good at guessing." - shreddit
  • The quote, "This PR appears to add a minimized and uncommon style of Javascript in order to… Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? …I’m afraid. I’m afraid, Dave. I can feel it. I can feel it. My mind is going." - lelandfe hints at the potential for AI to generate uncanny or alarming behavior when things go wrong.
  • "You mean the anthropic model talked about an exploit... the coderabbit system just didn't listen" - htrp distinguishing between different AI components within the system.

GitHub App Permissions and Vendor Trust

The discussion also touched upon the broad permissions often requested by GitHub Apps and the inherent trust placed in third-party vendors, raising questions about GitHub's role in enabling such broad access.

  • "Why does CodeRabbit need write access to the git repo? Why doesn't Github let me limit it's access?" - hahn-kev questions the necessity of write access.
  • "Right, the downside being that the app needs write access to your repository." - tadfisher acknowledges the permission requirement.
  • "Writing to PR branches should really be some new kind of permission." - rahkiin suggests a specialized permission.
  • socalgal2 places significant blame on GitHub: "IMO, Github is majorly to blame for this. They under-invested in their permission system so 3rd party apps are effectively encouraged to ask for "root" permissions. ... Any 3rd party service that said "give us root to your servers" would be laughed out of the market. But, that's what github has encouraged because their default workflow leaves it up to the developer to do the right thing."

Transparency and Response to Vulnerabilities

CodeRabbit's handling of the disclosure and remediation process also drew scrutiny, with users questioning their transparency and the timing of their public statements.

  • "On January 24, 2025, security researchers from Kudelski Security disclosed a vulnerability to us through our Vulnerability Disclosure Program (VDP). The researchers identified that Rubocop, one of our tools, was running outside our secure sandbox environment—a configuration that deviated from our standard security protocols." - curuinor (CodeRabbit representative) quoting their disclosure.
  • "but it sounds like they forgot to put Rubocop through the special method." - The_Fox on the potential oversight.
  • "When they're spinning it [1] as a PR opportunity with no mention of the breach there won't be a bounty. ... Instead they took it as an opportunity to market their new sandboxing on Google's blog [2] again with no mention of why their hand was forced into building the sandboxing they should have had before they rushed to onboard thousands of customers." - cube00 highlights concerns about the company's public relations strategy.
  • vadepaysa notes, "I cancelled my coderabbit paid subscription, because it always worries me when a post has to go viral on HN for a company to even acknowledge an issue occurred. Their blogs are clean of any mention of this vulnerability and they don't have any new posts today either."
  • "If I were a CodeRabbit customer, I'd still be pretty concerned after reading that. How can CodeRabbit be certain that the GitHub App key was not exfiltrated and used to sign malicious tokens for customer repos (or even used for that in-situ)? ... The claim that 'no malicious activity occurred' implies that they audited the activities of every repo that used Rubocop (or any other potential unsandboxed tool) from the point that support was added for it until the point that the vulnerability was fixed. That's a big claim." - marksomnian on the difficulty of verifying the "no data affected" claim.

Responsibility and Consequences for Security Failures

The discussion touched on the lack of consequences for companies that experience significant security failures and the need for greater regulation and accountability.

  • "This is a pretty bad vulnerability. It's good that they fixed it, but damning that it was ever a problem in the first place." - morgante
  • "Software industry really needs at least some guardrails/regulations at this point. It is absurd that anyone can mess up anything and have absolutely 0 consequences." - risyachka
  • "This whole situation is a perfect example of why companies need to be accountable and transparent. The lack of clear communication and the potential dismissiveness of the vulnerability is alarming." - observationist expressing general concern.
  • "The chuzpe to use this as PR." - KingOfCoders expresses disbelief at the company's PR approach. (Later corrected to "chutzpah" by woodruffw).

Broader Implications for Tooling and Development

The vulnerability also spurred discussions about the inherent risks of tools that process code, such as linters, compilers, and package managers, and the need for greater security awareness in the development lifecycle.

  • "You should treat running a code analyzer/builder/linter against a codebase as being no safer than running that codebase itself." - morgante
  • "Maybe those tools should explicitly confirm executing every external command (with caching allowed commands list in order to not ask again). And maybe Linux should provide an easy to use and safe sandbox for developers." - codedokode on the risks of modern development tools.
  • "It's safe to assume that the Rust compiler (like any compiler built on top of LLVM) has arbitrary code execution vulnerabilities, but as an intended feature I think this only exists in cargo, the popular/official build system, not rustc, the compiler." - gpm clarifying a point about Rust's compilation process.