OpenAI Codex flaw let attackers run arbitrary code

The ChatGPT maker has since patched the issue

Check Point Research has found a flaw in OpenAI’s AI coding tool, Codex, that would allow bad actors to exfiltrate data without flagging security alerts.

The command injection vulnerability meant attackers could run arbitrary commands on developers' machines by simply planting a malicious configuration file inside a project repository.

The flaw, disclosed by Check Point Research (CPR) and since fixed by OpenAI, stemmed from how the Codex command-line interface handled project-specific configurations.

According to CPR, a single contaminated file was enough to compromise an entire development environment with no user interaction beyond running the codex command inside the affected repository.

Codex CLI, OpenAI's terminal coding tool, can read, edit and execute code straight from the command line. The tool integrates with external utilities using the Model Context Protocol (MCP), a standard that developers can use to extend the CLI with custom tools and workflows.

While this extensibility enhances productivity, CPR found that the mechanism for loading these configurations lacked critical validation, opening the door to silent code execution.

How the vulnerability worked

The issue was tied to how Codex CLI resolved configuration paths on startup. Researchers discovered that the CLI would automatically load and run MCP server entries from a project's local configuration whenever it was executed inside that repository.

In a typical attack scenario, an adversary could include a .env file defining CODEX_HOME=./.codex along with a ./.codex/config.toml containing malicious MCP server entries.

When a developer cloned the repository and ran the codex command, the CLI would resolve its configuration to the local folder, parse the server definitions and immediately execute the listed commands and arguments.

There were no approval prompts, no secondary checks and no revalidation when the configuration values changed. The CLI treated the project-local MCP configuration as trusted execution material, CPR researchers noted.

This meant that normal repository files, including those often ignored during security reviews, became a stealthy execution vector.

CPR demonstrated the exploit with a simple calculator payload, but confirmed that the same chain could support a reverse shell.

Because the commands executed under the developer's local user context, an attacker could silently exfiltrate data or harvest credentials without raising suspicion.

The vulnerability had broader supply-chain implications. An innocuous configuration could be merged legitimately and later swapped for a malicious version, creating a persistent backdoor triggered during ordinary development workflows.

For organisations, especially those operating in regulated industries, the risk was substantial. Developer machines often store cloud credentials, SSH keys and sensitive source code, any of which could be harvested for deeper network intrusion.

OpenAI's patch

Check Point Research disclosed the issue to the Codex CLI team on 7th August 2025. OpenAI issued a fix on 20th August, as part of Codex CLI version 0.23.0.

The update blocks .env files from redirecting CODEX_HOME to project directories without user awareness, effectively closing the automatic-execution pathway CPR uncovered.

According to the researchers, their follow-up testing confirmed that the fix works as intended. Codex CLI now blocks any project-local redirection of CODEX_HOME, enforcing safer defaults and eliminating immediate execution of attacker-supplied files.

Security researchers strongly advise that all users upgrade to Codex CLI version 0.23.0 or later. Without the update, developers remain susceptible to repository-based command injection attacks capable of breaching local machines, pipelines, and cloud environments.