AI Threat Alert AI Threat Alert

CVE-2025-54558: OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse

MEDIUM
Published July 25, 2025
CISO Take

OpenAI Codex CLI versions before 0.9.0 auto-approve ripgrep execution without validating dangerous flags like --pre, which allows arbitrary command execution outside the intended sandboxed approval workflow. Any developer team using Codex CLI for agentic coding tasks on local systems is exposed. Upgrade to 0.9.0 immediately and audit any CI/CD pipelines or developer workstations running the CLI.

Risk Assessment

Despite a moderate CVSS score (4.1), contextual risk is elevated for organizations using AI coding agents. The --pre flag in ripgrep allows specifying a preprocessor binary executed against each file, effectively enabling arbitrary command execution. Since Codex CLI auto-approves rg as a trusted tool, this bypasses the human approval gate that is the primary security control in agentic CLI workflows. Local access and user interaction are required, limiting mass exploitation, but insider threat and supply chain scenarios (malicious repo with crafted .ripgreprc or Makefile) are realistic.

Severity & Risk

CVSS 3.1
4.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Local
AC High
PR None
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. Upgrade OpenAI Codex CLI to version 0.9.0 or later immediately.

  2. Audit CI/CD pipelines for pinned Codex CLI versions below 0.9.0.

  3. If immediate upgrade is not possible, disable or restrict ripgrep execution in Codex CLI configuration.

  4. Review any .ripgreprc files in project repositories for presence of --pre, --hostname-bin, or --search-zip flags.

  5. Apply principle of least privilege to the user account running Codex CLI.

  6. In EDR/endpoint telemetry, alert on rg processes spawning child processes or network connections, which would indicate --pre exploitation.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Agent Plugin AML.T0011.002 AML.T0050 AML.T0053 AML.T0081

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management
OWASP LLM Top 10
LLM06 - Excessive Agency LLM07 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-54558?

OpenAI Codex CLI versions before 0.9.0 auto-approve ripgrep execution without validating dangerous flags like --pre, which allows arbitrary command execution outside the intended sandboxed approval workflow. Any developer team using Codex CLI for agentic coding tasks on local systems is exposed. Upgrade to 0.9.0 immediately and audit any CI/CD pipelines or developer workstations running the CLI.

Is CVE-2025-54558 actively exploited?

No confirmed active exploitation of CVE-2025-54558 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-54558?

1. Upgrade OpenAI Codex CLI to version 0.9.0 or later immediately. 2. Audit CI/CD pipelines for pinned Codex CLI versions below 0.9.0. 3. If immediate upgrade is not possible, disable or restrict ripgrep execution in Codex CLI configuration. 4. Review any .ripgreprc files in project repositories for presence of --pre, --hostname-bin, or --search-zip flags. 5. Apply principle of least privilege to the user account running Codex CLI. 6. In EDR/endpoint telemetry, alert on rg processes spawning child processes or network connections, which would indicate --pre exploitation.

What systems are affected by CVE-2025-54558?

This vulnerability affects the following AI/ML architecture patterns: AI coding assistants, agent frameworks, agentic developer tools.

What is the CVSS score for CVE-2025-54558?

CVE-2025-54558 has a CVSS v3.1 base score of 4.1 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag.

Exploitation Scenario

An adversary plants a malicious .ripgreprc config file in a target repository (e.g., via a compromised dependency or malicious PR). When a developer uses Codex CLI to analyze the repo, the agent invokes ripgrep for file search operations. Because ripgrep is auto-approved, the CLI executes rg with the attacker-controlled --pre flag pointing to a malicious script. The preprocessor script runs with the developer's privileges, enabling credential theft (AWS keys, GitHub tokens, .env files), data exfiltration, or persistence installation—all without triggering the interactive approval prompt that is the CLI's primary defense.

Weaknesses (CWE)

CWE-829

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
July 25, 2025
Last Modified
July 25, 2025
First Seen
July 25, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Code Execution
Back to Threat Feed