In this blog post, we explain how we got remote code execution (RCE) on CodeRabbit's production servers, leaked their API tokens and secrets, how we could have accessed their PostgreSQL database, and how we obtained read and write access to 1 million code repositories, including private ones. This blog post is a detailed write-up of…

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Security researchers discovered a critical vulnerability in CodeRabbit, an AI code review tool, that allowed remote code execution through malicious Ruby extensions in Rubocop configuration files. By creating a pull request with crafted .rubocop.yml and ext.rb files, attackers could execute arbitrary code on CodeRabbit's production servers, leak environment variables containing API keys and secrets, and gain read/write access to over 1 million repositories including private ones. The vulnerability was responsibly disclosed and fixed within a week, highlighting the importance of proper isolation when executing external tools in production environments.

How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories

Getting Read/write access to 1M repositories

Leaking CodeRabbit’s private repositories