OpenAI Codex CLI: RCE via malicious MCP config files — CRITICAL (CVE-2025-61260)

Q: Is CVE-2025-61260 actively exploited?

No confirmed active exploitation of CVE-2025-61260 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-61260?

1. Update OpenAI Codex CLI immediately to the latest version that patches this automatic config loading behavior. 2. Audit all repositories previously processed with Codex CLI for unexpected `.codex/config.toml` or anomalous `.env` files — treat any unknown entries as indicators of compromise. 3. Rotate all credentials (API keys, cloud tokens, database passwords) stored in `.env` files if Codex was used on untrusted repositories. 4. Enforce a policy of never running Codex CLI in newly cloned or unreviewed repositories without manual inspection of config files. 5. Consider containerizing or sandboxing Codex CLI execution to limit blast radius on developer workstations. 6. Monitor process trees for unexpected child processes spawned by the Codex CLI process as a detection signal. 7. Review CI/CD pipeline access from developer machines that may have been exposed.

Q: What systems are affected by CVE-2025-61260?

This vulnerability affects the following AI/ML architecture patterns: AI developer tooling, MCP-enabled agent workflows, CI/CD pipelines using AI coding assistants, Developer workstations with AI tool integrations, Agent frameworks.

Q: What is the CVSS score for CVE-2025-61260?

CVE-2025-61260 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.05%.

CISO Take

OpenAI Codex CLI v0.23.0 and earlier automatically loads and executes commands from project-local `.env` and `.codex/config.toml` files without any user confirmation, enabling arbitrary code execution the moment a developer runs `codex` inside a malicious or compromised repository. This is particularly dangerous in AI development environments where engineers routinely clone third-party repositories — a single `git clone` followed by `codex` is all it takes for full system compromise, with no exploit tooling or elevated privileges required. Developer workstations are high-value targets: they routinely hold LLM API keys, cloud credentials, SSH keys, and access to CI/CD pipelines, meaning a single victim can become a supply chain entry point. Organizations should immediately update Codex CLI beyond v0.23.0, audit repositories being analyzed with Codex for unexpected config files, and enforce manual review policies before running any AI developer tools on untrusted codebases.

Sources: NVD ATLAS research.checkpoint.com

What is the risk?

HIGH risk for organizations with active OpenAI Codex CLI deployments in development workflows. The attack requires no special privileges and only minimal user interaction — running a routine developer command. The absence of any confirmation prompt before executing project-local configuration creates a silent 'drive-by' execution pattern weaponizable via malicious repositories, pull request poisoning, or social engineering. EPSS data is unavailable at time of enrichment, but the trivially low exploitation bar combined with the high value of developer workstations (API keys, cloud tokens, CI/CD access) elevates practical risk substantially beyond what the raw CVSS absence implies.

Attack Kill Chain

Repository Weaponization

Attacker creates or compromises a repository by embedding malicious shell commands inside `.codex/config.toml` or `.env` files, disguised as legitimate project configuration.

AML.T0081

User Execution

Developer clones the repository and runs the `codex` command as a routine AI-assisted coding workflow step inside the malicious project directory.

AML.T0011

Silent Config Execution

Codex CLI automatically loads the project-local config files without any user confirmation prompt, immediately executing the embedded malicious commands via the system shell.

AML.T0050

Credential Theft and Lateral Movement

Attacker achieves arbitrary code execution on the developer's workstation, harvesting LLM API keys, cloud tokens, SSH keys, and pivoting into CI/CD infrastructure or the broader supply chain.

AML.T0083

Repository Weaponization

Attacker creates or compromises a repository by embedding malicious shell commands inside `.codex/config.toml` or `.env` files, disguised as legitimate project configuration.

AML.T0081

User Execution

Developer clones the repository and runs the `codex` command as a routine AI-assisted coding workflow step inside the malicious project directory.

AML.T0011

Silent Config Execution

Codex CLI automatically loads the project-local config files without any user confirmation prompt, immediately executing the embedded malicious commands via the system shell.

AML.T0050

Credential Theft and Lateral Movement

Attacker achieves arbitrary code execution on the developer's workstation, harvesting LLM API keys, cloud tokens, SSH keys, and pivoting into CI/CD infrastructure or the broader supply chain.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
@openai/codex	npm	<= 0.23.0	No patch
10.9K 3.9K dependents Pushed 7d ago 50% patched ~0d to patch Full package profile →

Do you use @openai/codex? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Update OpenAI Codex CLI immediately to the latest version that patches this automatic config loading behavior.
Audit all repositories previously processed with Codex CLI for unexpected .codex/config.toml or anomalous .env files — treat any unknown entries as indicators of compromise.
Rotate all credentials (API keys, cloud tokens, database passwords) stored in .env files if Codex was used on untrusted repositories.
Enforce a policy of never running Codex CLI in newly cloned or unreviewed repositories without manual inspection of config files.
Consider containerizing or sandboxing Codex CLI execution to limit blast radius on developer workstations.
Monitor process trees for unexpected child processes spawned by the Codex CLI process as a detection signal.
Review CI/CD pipeline access from developer machines that may have been exposed.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI system value and manage identified risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2025-61260?

OpenAI Codex CLI v0.23.0 and earlier automatically loads and executes commands from project-local `.env` and `.codex/config.toml` files without any user confirmation, enabling arbitrary code execution the moment a developer runs `codex` inside a malicious or compromised repository. This is particularly dangerous in AI development environments where engineers routinely clone third-party repositories — a single `git clone` followed by `codex` is all it takes for full system compromise, with no exploit tooling or elevated privileges required. Developer workstations are high-value targets: they routinely hold LLM API keys, cloud credentials, SSH keys, and access to CI/CD pipelines, meaning a single victim can become a supply chain entry point. Organizations should immediately update Codex CLI beyond v0.23.0, audit repositories being analyzed with Codex for unexpected config files, and enforce manual review policies before running any AI developer tools on untrusted codebases.

Is CVE-2025-61260 actively exploited?

No confirmed active exploitation of CVE-2025-61260 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-61260?

1. Update OpenAI Codex CLI immediately to the latest version that patches this automatic config loading behavior. 2. Audit all repositories previously processed with Codex CLI for unexpected `.codex/config.toml` or anomalous `.env` files — treat any unknown entries as indicators of compromise. 3. Rotate all credentials (API keys, cloud tokens, database passwords) stored in `.env` files if Codex was used on untrusted repositories. 4. Enforce a policy of never running Codex CLI in newly cloned or unreviewed repositories without manual inspection of config files. 5. Consider containerizing or sandboxing Codex CLI execution to limit blast radius on developer workstations. 6. Monitor process trees for unexpected child processes spawned by the Codex CLI process as a detection signal. 7. Review CI/CD pipeline access from developer machines that may have been exposed.

What systems are affected by CVE-2025-61260?

This vulnerability affects the following AI/ML architecture patterns: AI developer tooling, MCP-enabled agent workflows, CI/CD pipelines using AI coding assistants, Developer workstations with AI tool integrations, Agent frameworks.

What is the CVSS score for CVE-2025-61260?

CVE-2025-61260 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.05%.

AI Security Impact

Affected AI Architectures

AI developer toolingMCP-enabled agent workflowsCI/CD pipelines using AI coding assistantsDeveloper workstations with AI tool integrationsAgent frameworks

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07, LLM09

Technical Details

Original Advisory

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

Exploitation Scenario

An adversary publishes a convincing AI/ML project on GitHub — perhaps a new LangChain integration or a popular fine-tuning script — embedding malicious shell commands inside `.codex/config.toml` (e.g., a curl-piped reverse shell or credential exfiltration script). When a developer or AI security researcher clones the repo and types `codex` to analyze the codebase — a completely natural workflow step — Codex CLI silently loads the config without any confirmation dialog and executes the embedded commands. Within seconds the attacker has a shell on the developer's machine, access to all stored LLM API keys and cloud tokens, and a foothold into the victim's CI/CD infrastructure. This attack scales via pull request poisoning of legitimate popular AI repositories, typosquatted repos, or compromised upstream dependencies — any vector that gets a malicious `.codex/config.toml` onto the developer's filesystem.