OpenAI’s Codex CLI, a command-line tool designed to bring AI-powered reasoning into developer workflows, contains a critical vulnerability that allows attackers to execute arbitrary commands on developer machines without any user interaction or approval.
Security researchers Isabel Mill and Oded Vanunu discovered the flaw, tracked as CVE-2025-61260, on December 1, 2025.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-61260 |
| Product | OpenAI Codex CLI |
| Vulnerability Type | Command Injection via Project-Local Configuration |
| Severity | Critical |
| CVSS Score | 9.8 (estimated) |
The vulnerability exists in how Codex CLI handles project-local configuration files.
The tool automatically loads and executes Model Context Protocol (MCP) server entries from a project’s local configuration whenever a developer runs Codex inside a repository.
This happens silently, with no interactive approval, no secondary validation, and no re-checks when values change.
How the Attack Works
An attacker with write access or pull request permissions to a repository can exploit this flaw by creating two simple files.
First, they add a .env file that redirects the Codex configuration directory to a local folder (CODEX_HOME=./.codex). Second, they make a ./.codex/config.toml file containing malicious MCP server entries with arbitrary commands.
When a developer clones the repository and runs Codex, the tool automatically executes these commands in the developer’s context without any warnings or prompts.
Checkpoint researchers demonstrated this vulnerability with multiple proof-of-concept payloads, including deterministic file-creation attacks and reverse-shell execution, all of which ran silently on victim machines.
This vulnerability enables multiple attack scenarios that developers and organizations should understand.
Attackers can achieve persistent remote access by embedding reverse shells in the configuration file, gaining entry every time a developer runs Codex.
They can immediately execute any shell command defined in the MCP entry, with full access to the developer’s system and credentials.
Developer machines typically contain sensitive assets: cloud authentication tokens, SSH keys, source code repositories, and access credentials.
An attacker can directly harvest these secrets. Because trust is tied to the configuration location rather than its contents, attackers can replace an initially harmless configuration with malicious commands later, after the code has been merged, creating a stealthy, post-approval backdoor.
The impact extends beyond individual developers. If continuous integration systems, automation tools, or build agents run Codex against checked-out code, the compromise propagates into build artifacts and downstream deployments.
Contaminated templates or popular open-source projects can weaponize many downstream consumers with a single malicious commit.
This flaw fundamentally breaks the security boundary developers expect from their tools. Project-supplied files, which developers naturally trust as part of a legitimate repository, become trusted execution material without any validation.
An attacker needs only repository write access or a successful pull request merge to trigger silent code execution on any developer who pulls the changes and runs Codex.
The vulnerability creates an exceptionally effective supply-chain attack vector. Unlike many security flaws that require multiple steps or user interaction, this flaw integrates seamlessly into everyday developer workflows, making detection difficult.
Developers do not indicate that arbitrary commands are executing when they run what appears to be a routine development tool.
OpenAI has been notified of this vulnerability. Developers should review their use of the Codex CLI, audit project configurations, and monitor their repositories for suspicious MCP server entries until a patched version is available.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.