This follows up on a reviewed security finding from githubnext/gh-aw-security. The finding indicates a likely gh-aw defect in the AWF API proxy component, where the ghcr.io/github/gh-aw-firewall/api-proxy (v0.25.0) container provisioned at 172.30.0.30:10001 inside Claude-backed runners accepts inbound requests regardless of x-api-key value — including requests with no key at all and requests with a syntactically fake key. Any code executing within the runner container (e.g., via a compromised build step, prompt injection payload, or supply-chain attack) can invoke the org's real Anthropic API credentials without restriction, enabling cost/quota abuse, amplification of prompt injection attacks, and unauthenticated enumeration of internal EAP model identifiers. The engines reference documents that the proxy is responsible for validating API keys; observed behaviour directly contradicts this. Suggested fix: validate a per-job ephemeral token on every inbound request, return HTTP 401 for missing or unrecognised keys, and restrict listener binding to the Claude Code CLI process only.
Affected area: ghcr.io/github/gh-aw-firewall/api-proxy — runner container trust boundary / AWF sandbox network
Original finding: https://github.com/githubnext/gh-aw-security/issues/1514
gh-aw version: v0.63.0
Generated by File gh-aw Issue for issue #1514 · ◷
This follows up on a reviewed security finding from
githubnext/gh-aw-security. The finding indicates a likely gh-aw defect in the AWF API proxy component, where theghcr.io/github/gh-aw-firewall/api-proxy(v0.25.0) container provisioned at172.30.0.30:10001inside Claude-backed runners accepts inbound requests regardless ofx-api-keyvalue — including requests with no key at all and requests with a syntactically fake key. Any code executing within the runner container (e.g., via a compromised build step, prompt injection payload, or supply-chain attack) can invoke the org's real Anthropic API credentials without restriction, enabling cost/quota abuse, amplification of prompt injection attacks, and unauthenticated enumeration of internal EAP model identifiers. The engines reference documents that the proxy is responsible for validating API keys; observed behaviour directly contradicts this. Suggested fix: validate a per-job ephemeral token on every inbound request, return HTTP 401 for missing or unrecognised keys, and restrict listener binding to the Claude Code CLI process only.Affected area:
ghcr.io/github/gh-aw-firewall/api-proxy— runner container trust boundary / AWF sandbox networkOriginal finding: https://github.com/githubnext/gh-aw-security/issues/1514
gh-aw version: v0.63.0