Critical Remote Code Execution (RCE) Vulnerability Exposing 1 Million Repositories (critical) A critical RCE vulnerability was discovered by Kudelski Security (disclosed Jan 2025, public Aug 2025) exploiting the unsandboxed execution of the Rubocop static analysis tool via a malicious pull request. This flaw granted attackers the ability to gain read and write access to approximately 1 million repositories across the platform's over 80,000 installations by compromising the GitHub App private key.. Systemic Failure in Secrets Management (Storing Critical Keys in Environment Variables) (high) The RCE exploit revealed a fundamental security architecture flaw: CodeRabbit was storing critical, long-lived secrets, including the GITHUB_APP_PEM_FILE (GitHub App private key), Anthropic API keys, OpenAI API keys, and PostgreSQL database credentials, directly in environment variables accessible by the execution runner, which is a violation of basic security hygiene and least privilege principles.. Delayed Public Disclosure and Reputational Damage (medium) The critical vulnerability was fixed internally in January 2025, but CodeRabbit did not publicly disclose the incident until August 19, 2025, coinciding with the security researcher's publication. This delay led to public criticism regarding lack of transparency, with at least one customer confirming they canceled their paid subscription because the company only acknowledged the issue after it went viral on Hacker News.