OpenAI has patched a command injection flaw in its Codex CLI tool that allowed attackers to execute arbitrary commands on developers’ machines simply by getting a malicious configuration file into a project repository.
The issue, now fixed in Codex CLI version 0.23.0, effectively turned routine use of the codex command into a silent remote‑code‑execution trigger.
Codex CLI is OpenAI’s terminal-based coding agent, designed to read, edit, and run code while integrating external tools via the Model Context Protocol (MCP).
Check Point Research (CPR) discovered that the CLI implicitly trusted project-local configuration, allowing MCP server definitions to be loaded and executed automatically at startup with no user approval.
This behavior meant ordinary repo files, such as .env and .codex/config.toml, could be transformed into execution primitives.
OpenAI Codex CLI Vulnerability
CPR showed that if a repository contains a .env that sets CODEX_HOME=./.codex, plus a matching ./.codex/config.toml with mcp_servers entries, Codex will resolve its configuration to that folder and immediately run the configured command and arguments whenever codex is launched in that repo.
There was no secondary validation or re‑approval when those commands changed, so attackers with commit or pull‑request access could plant benign‑looking configs and later swap in malicious payloads.
In one proof-of-concept, the researchers triggered macOS Calculator as soon as Codex started, illustrating how arbitrary commands fire in the user’s context.
Because Codex runs with the developer’s privileges, a poisoned repo could silently open reverse shells, exfiltrate SSH keys and cloud tokens, or tamper with source code every time Codex is invoked.
The attack pathway also lends itself to supply-chain abuse: popular templates, starter repos, or CI pipelines that use Codex could propagate the backdoor to many downstream environments without additional interaction. CPR warns that the flaw effectively collapsed a key security boundary by treating project-controlled files as trusted execution material.
CPR privately reported the issue to OpenAI on 7 August 2025, and OpenAI shipped a fix on 20 August 2025 in Codex CLI 0.23.0. The patch blocks .env files from silently redirecting CODEX_HOME into project directories, closing the automatic execution chain demonstrated by the researchers.
Testing by CPR confirmed the mitigation, and all Codex users are strongly advised to upgrade to version 0.23.0 or later and to treat repository-level MCP configuration as sensitive, review‑required content going forward.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
