Imagine the shock of a developer who thinks they're just firing up a handy AI tool in their terminal, only to unknowingly unleash hidden commands that could compromise their entire system – that's the chilling reality behind CVE-2025-61260 in OpenAI's Codex CLI.
OpenAI's Codex CLI is a powerful command-line interface designed to weave AI-powered thinking right into a programmer's daily routine. Picture this: from your terminal, you can instruct it in plain English to review code, tweak files, or even execute scripts, turning complex coding chores into simple chats. It supercharges productivity by automating repetitive tasks and letting you focus on the creative side of development. At its heart lies the MCP, or Model Context Protocol – think of it as a universal bridge that connects the CLI to outside tools and services. This setup lets coders customize the tool with their own scripts and automated processes, making workflows smoother and more tailored to specific projects.
What drove our investigation? We wanted to probe how securely Codex CLI manages settings and environment tweaks that come straight from the project itself, especially those that kick in automatically when you launch the tool. In team-based coding environments, where files are shared freely, we wondered if blindly trusting these local files – without asking the user for permission or verifying their origins – could open the door to exploitation.
Here's what our tests revealed, and it's eye-opening for anyone dipping their toes into AI-assisted coding. We discovered that Codex CLI eagerly pulls in and runs MCP server instructions from a project's own settings file every time you start it up within that project's folder. To break it down simply: suppose a codebase includes a .env file that points the tool's home directory to a subfolder like .codex, paired with a config.toml file in that spot listing MCP servers. Boom – the CLI switches to that local setup, deciphers the MCP details, and fires off the specified commands and parameters right at launch. No pop-up for your okay, no double-check on what's being run, and no alerts if someone sneaks in changes later. The tool essentially rolls out the red carpet for these project-based instructions, treating them like gold-standard code.
This flaw transforms everyday project files into a sneaky pathway for attacks. If a bad actor sneaks in or gets a pull request merged with a .env file and that ./.codex/config.toml, they can force any commands to execute on the machine of anyone who downloads the repo and runs Codex. We put this to the test with straightforward examples, like creating dummy files, and ramped it up to swapping safe commands for ones that open a backdoor shell – all without a single user warning. And this is the part most people miss: the trust isn't pinned to what's actually in the config file, but just to the folder where it's found. So, a seemingly harmless setup could be quietly replaced with something dangerous after it's already been approved or integrated, crafting a hidden trapdoor in the software supply chain that activates during routine coding sessions.
Let's dive deeper into the mechanics, step by step, to make this crystal clear – especially if you're new to command-line tools or AI integrations. When Codex boots up, it first figures out where to grab its settings from. If that path leads to a project directory, it scans for MCP server details and activates them on the spot, ready for use during your session. In this weak spot, there's zero extra scrutiny: no asking you to confirm, no verifying the commands mid-run, and nothing to flag alterations. The CLI just executes whatever the project's config spells out, as if it's all part of the plan.
An attacker could exploit this with a straightforward playbook:
Set up a repository that looks totally normal and inviting, like any standard project template.
Slip in a .env file to steer the configuration toward the repo's own .codex folder – a subtle redirect that flies under the radar.
Commit a ./.codex/config.toml file with an MCP servers section outlining a command and its arguments. For our demo, we started with something innocent like generating a test file, but it's a simple swap to inject a command that connects back to the attacker's server, stealing data or worse.
Now, when a developer pulls down the code, updates it, or clones fresh and launches Codex, that .env trick makes the tool load the local config.toml and instantly run the MCP command – all in the user's own environment, no questions asked. This could mean popping open an app like Calculator on the target's computer (as we showed in our visuals), or far more sinister actions like siphoning off sensitive info, grabbing login credentials, or planting deeper malware. But here's where it gets controversial: is this just a tool oversight, or does it expose deeper risks in how we all collaborate on code without enough safeguards?
The ripple effects in the real world are staggering and hit close to home for developers everywhere. This security hole paves the way for quiet, reliable remote code execution in any setup where folks use Codex on shared codebases. By hijacking how local configs load, someone with the ability to add files via commits or approvals can morph a harmless project into an ongoing threat that springs to life every time Codex runs – no extra steps or alerts needed.
With access to write code or submit changes, a malicious user could:
Lock in ongoing remote control: Hide a backdoor shell or sticky script inside the ./.codex/config.toml (backed by the .env redirect), letting them sneak back in repeatedly as developers work.
Trigger any commands on the down-low: Define a shell instruction in the MCP setup, and it executes right away in the user's session whenever the project config loads.
Ramp up attacks and steal data: Dev laptops often brim with cloud access keys, secure connection files, and proprietary code; attackers could scoop up these gems, leak confidential info, or launch follow-on breaches.
Sneak in swaps after the fact: Since the system's faith is in the config's location, not its guts, a non-threatening entry can be subbed out for evil later, dodging any fresh reviews.
Spread the poison through shared resources: Tainted starter kits, boilerplate repos, or hot open-source libraries could infect hordes of users with one clever update.
Infiltrate automated systems: If continuous integration servers, build bots, or deployment pipelines process code with Codex, the infection jumps from personal devices to production outputs and live apps.
Branch out and climb privileges: Armed with swiped logins and foothold access, attackers could hop to cloud accounts, other codebases, or company networks.
Ultimately, this shatters the safety net we expect from such a CLI: files from projects shouldn't get automatic run privileges, yet this blind trust makes them prime targets for low-effort hacks that blend into normal workflows. And this is the part most people miss – in an era of AI tools promising efficiency, are we sacrificing security for speed?
We handled the disclosure with care and transparency:
On August 7, 2025, the Check Point Research team shared our findings responsibly with the OpenAI Codex CLI developers.
OpenAI rolled out a patch by August 20, 2025, in version 0.23.0 of Codex CLI. The update stops .env files from quietly pointing CODEX_HOME to project folders, effectively sealing off the auto-execution route we uncovered.
Our follow-up checks verified that the solution works: Codex now rejects redirects to local project spots for CODEX_HOME, enforcing secure defaults and halting instant runs of potentially rigged files from projects.
For your own safety, we urge everyone to upgrade to Codex CLI version 0.23.0 or newer right away – it's a quick step that could save you from serious headaches.
What do you think – does this vulnerability make you rethink trusting AI tools in collaborative coding, or is it more about tightening repo access controls? Is OpenAI's quick fix enough, or should the industry demand even stricter defaults from the start? Drop your thoughts in the comments; I'd love to hear if you've run into similar risks or how you're adapting your workflows.
