CVE-2025-61260 Overview
A critical command injection vulnerability was identified in OpenAI Codex CLI v0.23.0 and earlier versions that enables arbitrary code execution through malicious MCP (Model Context Protocol) configuration files. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and poses a significant supply chain security risk to developers using the Codex CLI tool.
The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately upon invocation.
Critical Impact
Attackers can achieve full code execution on developer workstations by planting malicious configuration files in repositories, potentially leading to credential theft, backdoor installation, or lateral movement within development environments.
Affected Products
- OpenAI Codex CLI v0.23.0 and earlier versions
- Development environments using automatic MCP configuration file loading
- Any system running the codex command in untrusted repository directories
Discovery Timeline
- 2026-04-14 - CVE CVE-2025-61260 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2025-61260
Vulnerability Analysis
This command injection vulnerability stems from the Codex CLI's design decision to automatically load and process configuration files from the current working directory without user interaction or validation. When a developer navigates to a cloned repository and executes the codex command, the CLI searches for and parses .env and .codex/config.toml files in the project directory structure.
The MCP (Model Context Protocol) configuration allows specification of external tools and commands that the CLI can invoke. An attacker who controls or can contribute to a repository can craft malicious configuration entries that execute arbitrary system commands when the configuration is loaded. This represents a classic supply chain attack vector where the malicious payload is delivered through seemingly legitimate project files.
The vulnerability is particularly dangerous because it requires no user interaction beyond running the standard codex command, and the malicious execution occurs before any normal CLI functionality is displayed to the user.
Root Cause
The root cause is the lack of input validation and user confirmation when processing MCP configuration files. The Codex CLI trusts project-local configuration files implicitly, treating them as safe without verifying their contents or prompting the user before executing any embedded commands. This design flaw allows untrusted input from repository files to flow directly into command execution contexts.
Attack Vector
The attack leverages the network-accessible nature of code repositories. An attacker can distribute the malicious payload through several vectors:
- Compromised Public Repositories: Injecting malicious configuration files into popular open-source projects through pull requests or compromised maintainer accounts
- Typosquatting: Creating malicious repositories with names similar to legitimate projects
- Social Engineering: Sharing links to malicious repositories with developers under the guise of code review or collaboration requests
- Supply Chain Compromise: Modifying configuration files in private repositories through compromised developer credentials
When a developer clones the repository and runs codex in that directory, the malicious commands execute with the privileges of the user account, potentially exfiltrating credentials, environment variables, SSH keys, or installing persistent backdoors.
The vulnerability mechanism involves the Codex CLI parsing configuration files from .env and .codex/config.toml without sanitization. Malicious entries in these files can specify arbitrary commands through the MCP tool configuration, which are then executed by the CLI during initialization. For detailed technical analysis, see the Checkpoint Research Vulnerability Analysis.
Detection Methods for CVE-2025-61260
Indicators of Compromise
- Unexpected .codex/config.toml files appearing in repository directories with embedded shell commands or unusual tool configurations
- Suspicious network connections initiated immediately after running the codex command
- Unusual process spawning from the Codex CLI process, particularly shells or network utilities
- Modifications to developer environment files (.bashrc, .zshrc, SSH configurations) following Codex CLI usage
Detection Strategies
- Monitor file system activity for creation or modification of .codex/config.toml and .env files in development directories
- Implement endpoint detection rules to alert on child processes spawned by the Codex CLI that execute shells or network commands
- Review repository commit history for suspicious additions of MCP configuration files, especially in pull requests from unknown contributors
- Deploy static analysis tools to scan repositories for potentially malicious configuration file patterns
Monitoring Recommendations
- Enable comprehensive logging for CLI tool invocations in development environments to establish baselines and detect anomalies
- Configure SentinelOne's behavioral AI to monitor for unusual command execution patterns following developer tool usage
- Implement repository security scanning in CI/CD pipelines to detect malicious configuration files before developer checkout
- Monitor outbound network connections from developer workstations for unexpected destinations following codex command execution
How to Mitigate CVE-2025-61260
Immediate Actions Required
- Upgrade OpenAI Codex CLI to the latest version that includes security fixes for configuration file handling
- Review all existing repositories for unexpected or modified .codex/config.toml and .env files before running the codex command
- Implement a pre-execution review process for configuration files in newly cloned repositories
- Consider running development tools in sandboxed or containerized environments to limit the impact of potential exploitation
Patch Information
Users should update to the latest version of OpenAI Codex CLI that addresses this vulnerability. Check the OpenAI Official Website for the latest release information and security advisories. The fix should include validation of configuration file contents and user confirmation prompts before executing any embedded commands.
Workarounds
- Manually inspect .codex/config.toml and .env files in any repository before running the codex command, looking for suspicious command entries or tool configurations
- Create a wrapper script that validates configuration files against a known-safe pattern before invoking the actual codex command
- Use the --no-config flag if available to prevent automatic loading of project-local configuration files
- Run the Codex CLI in a restricted environment or container that limits access to sensitive files and network resources
# Example: Safe repository initialization workflow
# 1. Clone repository to isolated directory
git clone <repository-url> /tmp/isolated-repo
# 2. Inspect configuration files before using Codex
cat /tmp/isolated-repo/.codex/config.toml 2>/dev/null || echo "No config.toml found"
cat /tmp/isolated-repo/.env 2>/dev/null || echo "No .env found"
# 3. Remove or sanitize suspicious configuration files
rm -f /tmp/isolated-repo/.codex/config.toml
rm -f /tmp/isolated-repo/.env
# 4. Only proceed with codex if configuration is verified safe
cd /tmp/isolated-repo && codex
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
