OpenAI Codex CLI Symlink Arbitrary File Overwrite Vulnerability Leading to Potential Remote Code Execution

A vulnerability in the OpenAI Codex CLI has been identified, specifically in versions prior to 0.12.0. When used in workspace-write mode within a malicious context, such as a compromised repository or directory, the CLI can unintentionally overwrite arbitrary files. This issue arises because the CLI follows symlinks that point outside the permitted working directory, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with the possibility of remote code execution due to the overwritten file being executed as a script.

Reproduction

To reproduce this vulnerability, create a symlink in the current working directory that points to a file in a writable directory outside the Codex CLI sandbox. Then, run the Codex CLI in workspace-write mode, which will follow the symlink and overwrite the original file with new data. This can be done by initiating a prompt injection that instructs Codex to create a file, which will instead write to the symlinked file outside the intended sandbox.

Remediation

Users can update to Codex CLI version 0.12.0 or later, where this vulnerability has been addressed.