AI Threat Alert AI Threat Alert

CVE-2025-59532: OpenAI Codex CLI: sandbox escape via model-generated cwd

UNKNOWN PoC AVAILABLE
Published September 22, 2025
CISO Take

Codex CLI 0.2.0–0.38.0 allows an AI-generated working directory to override the sandbox boundary, enabling arbitrary file writes and command execution on developer machines with full process permissions. Update immediately to CLI 0.39.0 or IDE extension 0.4.12 — unpatched developer workstations are exposed to credential theft and source code compromise. Inventory all Codex deployments before the next sprint and treat any unpatched instance as a potential supply chain pivot point.

Risk Assessment

HIGH. Developer machines running affected Codex CLI versions are fully exposed to out-of-sandbox file writes and command execution. The attack surface is any organization using Codex CLI for AI-assisted development. Exploitation can be triggered via malicious content in code repositories or prompt injection during user sessions, requiring only moderate adversary skill. Compromised developer machines represent a critical supply chain risk — credentials, SSH keys, CI/CD tokens, and source code are all accessible. The network sandbox restriction remaining intact is a partial control, but filesystem access alone is sufficient for persistence and data exfiltration.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.1%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

  1. PATCH IMMEDIATELY

    Update Codex CLI to ≥0.39.0 via npm/package manager; update Codex IDE extension to ≥0.4.12.

  2. INVENTORY

    Identify all developer workstations and CI/CD pipelines running affected versions — check package-lock.json and installed extensions.

  3. AUDIT

    Review filesystem activity logs on machines that ran affected Codex versions for unexpected writes outside working directories, particularly to ~/.ssh, ~/.aws, ~/.config, and credential files.

  4. DETECT

    Add monitoring rules for file creation/modification in sensitive directories during Codex process activity.

  5. WORKAROUND

    If immediate patching is blocked, run Codex inside a container with restricted filesystem mounts (bind-mount only the project directory) until upgrade is completed.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Prompt Injection Agent AML.T0037 AML.T0051.001 AML.T0053 AML.T0080 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Access Controls
NIST AI RMF
GOVERN-1.1 - Policies for AI Risk Management MANAGE-2.2 - Risk Treatment — AI System Vulnerabilities
OWASP LLM Top 10
LLM01 - Prompt Injection LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-59532?

Codex CLI 0.2.0–0.38.0 allows an AI-generated working directory to override the sandbox boundary, enabling arbitrary file writes and command execution on developer machines with full process permissions. Update immediately to CLI 0.39.0 or IDE extension 0.4.12 — unpatched developer workstations are exposed to credential theft and source code compromise. Inventory all Codex deployments before the next sprint and treat any unpatched instance as a potential supply chain pivot point.

Is CVE-2025-59532 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-59532, increasing the risk of exploitation.

How to fix CVE-2025-59532?

1. PATCH IMMEDIATELY: Update Codex CLI to ≥0.39.0 via npm/package manager; update Codex IDE extension to ≥0.4.12. 2. INVENTORY: Identify all developer workstations and CI/CD pipelines running affected versions — check package-lock.json and installed extensions. 3. AUDIT: Review filesystem activity logs on machines that ran affected Codex versions for unexpected writes outside working directories, particularly to ~/.ssh, ~/.aws, ~/.config, and credential files. 4. DETECT: Add monitoring rules for file creation/modification in sensitive directories during Codex process activity. 5. WORKAROUND: If immediate patching is blocked, run Codex inside a container with restricted filesystem mounts (bind-mount only the project directory) until upgrade is completed.

What systems are affected by CVE-2025-59532?

This vulnerability affects the following AI/ML architecture patterns: AI coding agents, developer workstations, CI/CD pipelines, agent frameworks.

What is the CVSS score for CVE-2025-59532?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.

Exploitation Scenario

An adversary plants malicious instructions inside a code file or repository comment that a developer asks Codex CLI to analyze or refactor. The injected content causes the model to generate a session working directory pointing to /Users/developer/.ssh or a CI/CD secrets directory rather than the actual project folder. Codex CLI, using the model-generated cwd as the sandbox root, allows the agent to write files to that path. The payload overwrites authorized_keys to establish SSH persistence, or reads and exfiltrates .env credentials containing cloud API keys — all within a normal-looking Codex coding session, with no network sandbox alert triggered.

Weaknesses (CWE)

CWE-20

References

Timeline

Published
September 22, 2025
Last Modified
September 22, 2025
First Seen
September 22, 2025

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed