CVE-2025-59532 is a high-severity vulnerability affecting OpenAI's Codex CLI versions 0.2.0 through 0.38.0. Codex CLI is a local coding agent that executes code generation tasks within a sandboxed environment to restrict file system and command execution capabilities. The vulnerability arises from improper input validation (CWE-20) in the sandbox configuration logic. Specifically, the sandbox boundary was determined based on a model-generated current working directory (cwd), which could be manipulated to point outside the intended workspace folder. This flaw allowed the Codex CLI process to treat arbitrary paths outside the user’s session directory as writable roots, effectively bypassing sandbox restrictions. As a result, an attacker could achieve arbitrary file writes and command execution with the permissions of the Codex process. Notably, this vulnerability does not affect the network-disabled sandbox restriction, limiting remote exploitation vectors. The issue was patched in Codex CLI version 0.39.0 by canonicalizing and validating the sandbox boundary strictly based on the user’s session start directory rather than the model-generated cwd. Users of affected versions are strongly advised to update immediately to the fixed versions, including the Codex IDE extension update to 0.4.12. The CVSS 4.0 score of 8.6 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, no privileges required, but user interaction needed. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses significant risks, especially for development teams and environments using Codex CLI for local code generation and automation. Successful exploitation could lead to unauthorized file modifications, insertion of malicious code, or execution of arbitrary commands on developer machines or build servers. This can compromise source code integrity, leak sensitive intellectual property, or introduce backdoors into software supply chains. Given the integration of Codex in development workflows, exploitation could cascade into production environments, impacting confidentiality and availability of critical systems. The vulnerability’s ability to bypass sandbox boundaries undermines a key security control, increasing the attack surface. Although network restrictions limit remote exploitation, insider threats or phishing attacks that trick users into running malicious model outputs could trigger the exploit. The impact is particularly severe for organizations handling sensitive data or operating in regulated sectors such as finance, healthcare, and critical infrastructure within Europe, where compliance with data protection laws (e.g., GDPR) is mandatory.

European organizations should immediately update all Codex CLI installations to version 0.39.0 or later and the Codex IDE extension to 0.4.12 or later to ensure sandbox boundaries are properly enforced. Beyond patching, organizations should implement strict access controls on developer workstations, limiting Codex process permissions to the minimum necessary. Employ endpoint detection and response (EDR) solutions to monitor for unusual file writes or command executions originating from Codex processes. Enforce code review and validation procedures to detect unexpected code changes potentially introduced via compromised Codex outputs. Network segmentation and disabling unnecessary network access for developer machines can reduce exposure. Additionally, educate developers about the risks of executing untrusted model-generated code and implement multi-factor authentication to reduce the risk of unauthorized access. Regularly audit and verify sandbox configurations and environment variables to detect any deviations from expected boundaries.