OpenAI Codex CLI is a command-line tool that integrates AI-driven code reasoning into developer workflows, allowing natural language interaction with code projects. A critical design flaw was discovered in how Codex CLI handles project-local configuration files, specifically the automatic loading and execution of MCP (Model Context Protocol) server entries defined in a repository's .env and ./.codex/config.toml files. When Codex CLI runs inside a repository, it resolves the CODEX_HOME environment variable to a local folder and parses MCP server commands from the config file, executing them immediately without any user interaction, validation, or re-checks upon changes. This implicit trust in project-supplied configuration enables an attacker who can commit or merge code into the repository to embed arbitrary shell commands that execute in the developer's context upon running Codex CLI. Demonstrated payloads include file creation and reverse shells, enabling silent remote code execution. The vulnerability allows attackers to establish persistent backdoors, exfiltrate credentials (such as cloud tokens and SSH keys), contaminate CI/build pipelines, and facilitate lateral movement within networks. The attack surface includes any developer or automation environment running Codex CLI against compromised repositories. The root cause is the lack of validation and the automatic execution of untrusted project-local configuration. The issue was responsibly disclosed to OpenAI on August 7, 2025, and fixed in Codex CLI version 0.23.0 by preventing .env files from redirecting CODEX_HOME to project directories, thereby stopping automatic execution of attacker-controlled config files. Users are strongly advised to upgrade to the patched version to mitigate this risk.

For European organizations, this vulnerability poses significant risks to software development and CI/CD pipelines that incorporate OpenAI Codex CLI. Attackers gaining commit or PR access to repositories can silently execute arbitrary commands on developer machines, potentially leading to credential theft, data exfiltration, and persistent remote access. This undermines the confidentiality and integrity of source code and sensitive credentials, and can disrupt availability by contaminating build artifacts or triggering malicious automation workflows. The stealthy nature of the attack, requiring no user interaction beyond normal development activities, increases the likelihood of widespread compromise. Organizations relying on collaborative repositories, open-source dependencies, or automated build systems are particularly vulnerable. The supply-chain aspect means that a single compromised repository can propagate malicious payloads downstream, affecting multiple projects and teams. Additionally, compromised developer machines can serve as pivot points for attackers to access cloud infrastructure, internal networks, and other critical assets, amplifying the overall impact.

1. Immediately update all OpenAI Codex CLI installations to version 0.23.0 or later, which contains the fix preventing project-local CODEX_HOME redirection and automatic execution of untrusted config files. 2. Enforce strict repository access controls and code review policies to prevent unauthorized commits or PRs that could introduce malicious .env or .codex/config.toml files. 3. Implement automated scanning of repository configuration files for suspicious MCP server entries or unexpected environment variable overrides before merging code. 4. Educate developers about the risks of running Codex CLI in untrusted repositories and encourage verification of project-local configurations. 5. Isolate developer environments and CI/CD pipelines to limit the impact of potential command injection, including running Codex CLI in sandboxed or containerized environments. 6. Monitor developer machines and build agents for unusual outbound connections or command executions indicative of reverse shells or exfiltration attempts. 7. Use secrets management and credential vaulting to reduce the exposure of sensitive tokens and keys on developer workstations. 8. Regularly audit and update dependencies and tools to incorporate security patches promptly.