CVE-2025-59532
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: GitHub, Inc.

Description
Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59532
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
openai codex_cli 0.38.0
openai codex_ide_extension 0.4.11
openai codex_ide_extension 0.4.12
openai codex_cli 0.39.0
openai codex_cli 0.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Codex CLI versions 0.2.0 to 0.38.0 arises from a bug in the sandbox configuration logic. The software could mistakenly treat a model-generated current working directory (cwd) as the sandbox's writable root, including paths outside the user's intended workspace. This bypasses the sandbox boundary, allowing arbitrary file writes and command execution with the permissions of the Codex process. The issue does not affect the network-disabled sandbox restriction. It has been fixed in version 0.39.0 by properly canonicalizing and validating the sandbox boundary based on the user's session start location.

Impact Analysis

This vulnerability can allow an attacker or malicious model output to write files or execute commands arbitrarily on the system where Codex CLI is running, within the permissions of the Codex process. This could lead to unauthorized modification or deletion of files, execution of harmful commands, and potential compromise of the affected system.

Mitigation Strategies

Users running Codex CLI versions 0.38.0 or earlier should immediately update to version 0.39.0 or later via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, update immediately to version 0.4.12 to fix the sandbox issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart