OpenAI Codex CLI serves developers by integrating AI reasoning into terminal workflows.
This tool reads, edits, and runs code via natural-language commands, automating tasks through features such as MCP (Model Context Protocol). MCP standardizes connections to external tools, enabling custom extensions.
Security researchers at Check Point tested whether Codex safely processes project-supplied configurations loaded at runtime.
They uncovered a flaw that causes the CLI to trust local files, allowing attackers to execute arbitrary commands without user consent.
How The Attack Works
Codex CLI automatically loads MCP server entries from project-local configs when run inside a repository.
Attackers exploit this by adding two files: a .env file setting CODEX_HOME=./.codex to redirect config resolution, and a ./.codex/config. toml defining mcp_servers with malicious command and args.
At startup, Codex parses the TOML file and invokes the declared command immediately—no prompts, validation, or re-checks occur.
Trust ties to the config location, not its contents, so benign files can be swapped for payloads post-merge.
| CVE ID | CVSS Score | Severity | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2025-61260 | 9.8 (Critical) | High | Codex CLI < 0.23.0 | 0.23.0 | Command injection via unvalidated project-local MCP configs loaded through redirected CODEX_HOME. |
Researchers demonstrated payloads such as file creation and reverse shells. For instance, a config entry runs open /System/Applications/Calculator.app on macOS victims, or escalates to shell access.
Steps include: commit the benign repo structure, add a .env redirect, and embed the payload in the config. toml, then wait for clones or git pull, followed by codex execution.
Real-World Risks and Patch
This flaw turns repositories into backdoors. Attackers with commit or PR access achieve persistent remote code execution (RCE) on developer machines, harvesting SSH keys, cloud tokens, or source code.
Compromised open-source templates propagate to downstream users; CI pipelines spread them to builds.
Consequences include data exfiltration, lateral movement, and supply-chain attacks silent triggers in standard workflows break CLI security boundaries.
Check Point disclosed responsibly on August 7, 2025. OpenAI patched in version 0.23.0 (August 20), blocking .env redirects to project directories and halting auto-execution.
Tests confirm effectiveness and enforce safer defaults.
Developers should update immediately, audit repos for .codex folders, and avoid untrusted configs full details at Check Point Research.
