The Illusion of Isolation: How Isolation Failures in CI/CD Servers Lead to RCE and Privacy Risks
Black Hat Asia 2025 · Day 2 · Briefings
In this compelling Black Hat Asia talk, "The Illusion of Isolation," researchers Tenjo and Yuwan Wong from the University of Chinese Academy of Sciences delve into a critical, yet often overlooked, area of modern software development security: isolation failures within Continuous Integration/Continuous Deployment (CI/CD) servers. While traditional CI/CD security research frequently focuses on vulnerabilities that grant access to build *workers* or *agents*, this presentation shifts the spotlight to the more insidious and impactful realm of server-side compromise. The speakers meticulously demonstrate how fundamental design flaws and inadequate isolation mechanisms in popular CI/CD platforms can lead to remote code execution (RCE) and significant privacy risks directly on the CI/CD server itself.
AI review
This talk by Tenjo and Yuwan Wong is a critical, deep dive into the often-overlooked area of CI/CD server-side vulnerabilities. They meticulously expose how fundamental isolation failures, particularly around Source Code Management (SCM) interactions, can lead to Remote Code Execution (RCE) and severe data breaches across multiple popular platforms. The research demonstrates novel and sophisticated attack techniques, like the 'Server Push Attack' and chained exploits using path disclosure and environment variable injection, proving that the 'illusion of isolation' in these critical systems…