Compliance Impact

The vulnerability allows attackers to execute arbitrary commands on a developer's system by exploiting project-local configuration files that Codex CLI automatically trusts and executes without user confirmation.

This can lead to credential theft, data exfiltration, lateral movement, privilege escalation, and contamination of CI/build pipelines, which may result in unauthorized access to sensitive data.

Such unauthorized access and data breaches could violate compliance requirements under standards like GDPR and HIPAA, which mandate protection of personal and sensitive information and require organizations to implement adequate security controls to prevent unauthorized data access and breaches.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by enabling data breaches and unauthorized data processing.

Useful 0 Not Useful 0

Executive Summary

CVE-2025-61260 is a command injection vulnerability in the OpenAI Codex CLI tool. The vulnerability occurs because the CLI automatically loads and executes commands defined in project-local configuration files, specifically .env and .codex/config.toml files, without any user confirmation or validation.

An attacker who can commit or merge malicious configuration files into a repository can embed arbitrary commands that execute immediately when a user runs the codex command inside that repository. This allows the attacker to execute code in the context of the user silently and persistently.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the developer's machine. Attackers can steal credentials, exfiltrate data, move laterally within networks, escalate privileges, contaminate CI/build pipelines, and conduct supply-chain attacks by compromising repositories or templates.

Because the malicious commands execute automatically without user interaction, the attack can be stealthy and persistent, making it difficult to detect and mitigate without updating the software.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting project repositories for the presence of malicious or suspicious project-local configuration files that Codex CLI automatically loads and executes.

• Check for a `.env` file that sets the environment variable `CODEX_HOME=./.codex`.
• Look for a `.codex/config.toml` file within the project directory that contains `mcp_servers` entries.

You can use commands like the following to detect these files and suspicious entries:

• Find `.env` files with the specific environment variable: `grep -r 'CODEX_HOME=./.codex' /path/to/repositories`
• Locate `.codex/config.toml` files containing `mcp_servers`: `grep -r 'mcp_servers' /path/to/repositories/.codex/config.toml`

Additionally, monitoring for unexpected execution of commands or network connections initiated by Codex CLI when running inside repositories can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to update OpenAI Codex CLI to version 0.23.0 or later, where the vulnerability is fixed.

This update prevents `.env` files from redirecting the `CODEX_HOME` environment variable into project directories, blocking automatic execution of attacker-controlled project-local configurations.

Until the update is applied, avoid running the Codex CLI inside untrusted or suspicious repositories that may contain malicious `.env` or `.codex/config.toml` files.

Review and audit project-local configuration files before running Codex CLI commands to ensure they do not contain unexpected or malicious `mcp_servers` entries.

Useful 0 Not Useful 0