CVE-2025-61260: OpenAI Codex CLI: RCE via malicious MCP config files
GHSA-xrxf-jgv3-qmrm CRITICAL CISA: ATTENDOpenAI Codex CLI v0.23.0 and earlier automatically loads and executes commands from project-local `.env` and `.codex/config.toml` files without any user confirmation, enabling arbitrary code execution the moment a developer runs `codex` inside a malicious or compromised repository. This is particularly dangerous in AI development environments where engineers routinely clone third-party repositories — a single `git clone` followed by `codex` is all it takes for full system compromise, with no exploit tooling or elevated privileges required. Developer workstations are high-value targets: they routinely hold LLM API keys, cloud credentials, SSH keys, and access to CI/CD pipelines, meaning a single victim can become a supply chain entry point. Organizations should immediately update Codex CLI beyond v0.23.0, audit repositories being analyzed with Codex for unexpected config files, and enforce manual review policies before running any AI developer tools on untrusted codebases.
What is the risk?
HIGH risk for organizations with active OpenAI Codex CLI deployments in development workflows. The attack requires no special privileges and only minimal user interaction — running a routine developer command. The absence of any confirmation prompt before executing project-local configuration creates a silent 'drive-by' execution pattern weaponizable via malicious repositories, pull request poisoning, or social engineering. EPSS data is unavailable at time of enrichment, but the trivially low exploitation bar combined with the high value of developer workstations (API keys, cloud tokens, CI/CD access) elevates practical risk substantially beyond what the raw CVSS absence implies.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenAI Node | npm | <= 0.23.0 | No patch |
Do you use OpenAI Node? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Update OpenAI Codex CLI immediately to the latest version that patches this automatic config loading behavior.
-
Audit all repositories previously processed with Codex CLI for unexpected
.codex/config.tomlor anomalous.envfiles — treat any unknown entries as indicators of compromise. -
Rotate all credentials (API keys, cloud tokens, database passwords) stored in
.envfiles if Codex was used on untrusted repositories. -
Enforce a policy of never running Codex CLI in newly cloned or unreviewed repositories without manual inspection of config files.
-
Consider containerizing or sandboxing Codex CLI execution to limit blast radius on developer workstations.
-
Monitor process trees for unexpected child processes spawned by the Codex CLI process as a detection signal.
-
Review CI/CD pipeline access from developer machines that may have been exposed.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-61260?
OpenAI Codex CLI v0.23.0 and earlier automatically loads and executes commands from project-local `.env` and `.codex/config.toml` files without any user confirmation, enabling arbitrary code execution the moment a developer runs `codex` inside a malicious or compromised repository. This is particularly dangerous in AI development environments where engineers routinely clone third-party repositories — a single `git clone` followed by `codex` is all it takes for full system compromise, with no exploit tooling or elevated privileges required. Developer workstations are high-value targets: they routinely hold LLM API keys, cloud credentials, SSH keys, and access to CI/CD pipelines, meaning a single victim can become a supply chain entry point. Organizations should immediately update Codex CLI beyond v0.23.0, audit repositories being analyzed with Codex for unexpected config files, and enforce manual review policies before running any AI developer tools on untrusted codebases.
Is CVE-2025-61260 actively exploited?
No confirmed active exploitation of CVE-2025-61260 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-61260?
1. Update OpenAI Codex CLI immediately to the latest version that patches this automatic config loading behavior. 2. Audit all repositories previously processed with Codex CLI for unexpected `.codex/config.toml` or anomalous `.env` files — treat any unknown entries as indicators of compromise. 3. Rotate all credentials (API keys, cloud tokens, database passwords) stored in `.env` files if Codex was used on untrusted repositories. 4. Enforce a policy of never running Codex CLI in newly cloned or unreviewed repositories without manual inspection of config files. 5. Consider containerizing or sandboxing Codex CLI execution to limit blast radius on developer workstations. 6. Monitor process trees for unexpected child processes spawned by the Codex CLI process as a detection signal. 7. Review CI/CD pipeline access from developer machines that may have been exposed.
What systems are affected by CVE-2025-61260?
This vulnerability affects the following AI/ML architecture patterns: AI developer tooling, MCP-enabled agent workflows, CI/CD pipelines using AI coding assistants, Developer workstations with AI tool integrations, Agent frameworks.
What is the CVSS score for CVE-2025-61260?
CVE-2025-61260 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 6.58%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0011 User Execution AML.T0050 Command and Scripting Interpreter AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
Exploitation Scenario
An adversary publishes a convincing AI/ML project on GitHub — perhaps a new LangChain integration or a popular fine-tuning script — embedding malicious shell commands inside `.codex/config.toml` (e.g., a curl-piped reverse shell or credential exfiltration script). When a developer or AI security researcher clones the repo and types `codex` to analyze the codebase — a completely natural workflow step — Codex CLI silently loads the config without any confirmation dialog and executes the embedded commands. Within seconds the attacker has a shell on the developer's machine, access to all stored LLM API keys and cloud tokens, and a foothold into the victim's CI/CD infrastructure. This attack scales via pull request poisoning of legitimate popular AI repositories, typosquatted repos, or compromised upstream dependencies — any vector that gets a malicious `.codex/config.toml` onto the developer's filesystem.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
GHSA-vjc7-jrh9-9j86 10.0 9Router: no-auth API leaks keys, chats, provider control
Same package: openai CVE-2024-23827 9.8 Nginx-UI: arbitrary file write via cert import leads to RCE
Same package: openai GHSA-gqqj-85qm-8qhf 8.7 paperclipai: connector trust bypass enables Gmail read/write
Same package: openai CVE-2024-22197 7.7 Nginx-UI: authenticated command injection to RCE
Same package: openai CVE-2025-69134 7.5 OpenAI Chatbot WP Helper: unauth content deletion
Same package: openai