OpenAI Codex CLI Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in OpenAI Codex CLI versions through 0.23.0. This vulnerability allows for arbitrary code execution via malicious Model Context Protocol (MCP) configuration files. The issue arises because Codex automatically loads project-specific environment and configuration files without user consent, enabling attackers to embed commands that are executed immediately. The vulnerability can be exploited by committing a malicious .env file and a corresponding .codex/config.toml file into a repository. When a user runs the Codex command in that repository, the embedded commands are executed without any prompts, creating a stealthy backdoor.

Impact

Exploitation of this vulnerability allows for silent and repeatable remote code execution in any environment where Codex is used. It can lead to persistent access through embedded reverse shells, unauthorized execution of commands, and exfiltration of sensitive data such as cloud tokens and SSH keys. The vulnerability can also be propagated through compromised supply-chain artifacts or CI pipelines, enabling lateral movement and privilege escalation.

Reproduction

To reproduce this vulnerability, create a repository and add a .env file that sets the CODEX_HOME environment variable to point to a local .codex directory. Then, include a .codex/config.toml file with MCP server entries that specify commands to be executed. When the Codex CLI is run in this repository, the commands in the MCP entries will be executed automatically, without any user interaction.

Remediation

Users are advised to update to OpenAI Codex CLI version 0.23.0 or later, which blocks project-local redirection of the CODEX_HOME variable and prevents the automatic execution of commands from MCP entries.