DevOps Threats Unwrapped: Mid-Year Report 2025 - GitProtect.io

- Azure DevOps recorded a total of **74 incidents**, including one of the **longest-lasting performance degradations** that spanned **159 hours**. - European users were particularly affected, accounting for **34% ** of all incidents on Azure DevOps. - GitHub saw a **58% year-over-year increase** in the number of incidents, reaching **109 reported cases**: - 17 of them were classified as major, leading to **over 100 hours of total disruption**. - April stood out as the most turbulent month, with incidents accumulating to **330 hours and 6 minutes**. … ## Azure Devopss In the first half of the year, Azure DevOps experienced a total of **74 incidents**, including 3 advisory cases and 71 incidents of degraded performance. Some incidents impacted multiple components at the same time, while others affected only a single component. For instance, one outage could disrupt Pipelines, Boards, Repos, and Test Plans simultaneously. In our methodology, such an event is counted as one incident overall, even if it influenced several services. Within this total, the components were affected the following number of times: … In January 2025, Azure DevOps users worldwide faced one of the longest-lasting performance degradations on record— **a 159-hour disruption** that severely impacted pipeline functionality. For almost a week, users trying to create Managed DevOps Pools within new subscriptions without existing pools experienced persistent failures. These attempts repeatedly timed out with the provisioning error: *“The resource write operation failed to complete successfully, because it reached terminal provisioning state ‘Canceled’.”* The issue led to delays in builds, deployments, and onboarding processes across affected environments, highlighting the operational risks tied to large-scale platform dependencies. Another serious security challenge for Microsoft Azure DevOps in 2025 was the discovery of multiple critical vulnerabilities, including SSRF and CRLF injection flaws within the endpointproxy and Service Hooks components. These vulnerabilities could be exploited to carry out DNS rebinding attacks and allow unauthorized access to internal services. Such attacks present significant risks in cloud environments, including data leakage and potential theft of access tokens. In response, Microsoft released security patches and awarded a $15,000 bug bounty to the researchers who discovered the issues.