Table of Contents
What Should Developers Know About Command Injection Vulnerabilities in AI-Powered Coding Tools?
Security researchers at Check Point Research (CPR) identified a critical command injection vulnerability in OpenAI’s Codex CLI tool. Tracked as CVE-2025-61260, this flaw enables attackers to execute unauthorized code through manipulated project configuration files.
How Codex CLI Functions
Codex CLI serves as OpenAI’s command-line interface that integrates AI-driven programming capabilities into developer workflows. The tool allows developers to work entirely within their terminal environment, utilizing ChatGPT-like assistance for code generation, file editing, and repository management—all under version control.
The tool operates with minimal setup requirements. Developers need only provide an OpenAI API key to begin. Originally implemented in TypeScript, Codex CLI has since transitioned to a Rust-based architecture. The open-source nature of the project enables community contributions and transparent development tracking.
Technical Analysis of the Vulnerability
CPR researchers investigated whether Codex CLI properly validates project-provided configurations and environment variables loaded during runtime. Their focus centered on whether the CLI appropriately verifies project files before execution, particularly in collaborative development environments.
The investigation revealed a critical flaw: Codex CLI automatically loads and executes Model Context Protocol (MCP) server entries from project-local configuration files when launched within a repository. The CLI resolves configuration from the local directory, parses MCP definitions, and immediately executes declared commands during startup.
This process lacks three essential security measures:
- No interactive approval prompts
- No secondary validation of commands or arguments
- No re-verification when configuration values change
The CLI treats project-local MCP configurations as inherently trusted, creating an exploitable attack vector.
Demonstrated Attack Scenarios
Security researchers confirmed the vulnerability using multiple payload types, including file creation tests and reverse shell implementations. Both executed without user interaction. The vulnerability’s persistence mechanism relies on the presence of MCP entries under the resolved CODEX_HOME path rather than the entry’s content, enabling attackers to replace legitimate configurations with malicious versions after initial approval.
Potential exploitation methods include:
- Establishing persistent remote access through reverse shell configurations in .codex/config.toml files
- Executing arbitrary commands silently within the user’s security context
- Extracting sensitive credentials including cloud tokens, SSH keys, and proprietary source code
- Replacing initially benign configurations with malicious payloads after code review
- Propagating malware through software supply chains via compromised templates and starter repositories
- Compromising CI/CD pipelines when automated systems execute Codex within infected projects
- Facilitating lateral movement across networks using stolen authentication credentials
Industry Implications
Oded Vanunu, Chief Technologist and Head of Product Vulnerability Research at Check Point, emphasized the severity: “Attackers no longer need to penetrate the infrastructure; they simply exploit the trust model surrounding development tools. If an AI tool loads and executes files without validation, the company loses control over one of its most routine processes.”
This vulnerability represents an emerging class of supply chain attacks that exploit the implicit trust relationships within development toolchains. Organizations must implement verification processes for all inputs entering their development pipelines, not solely focus on output validation.
Timeline and Remediation
Check Point Research disclosed the vulnerability to OpenAI on August 7, 2025. OpenAI responded by releasing Codex CLI version 0.23.0 on August 20, 2025, which implements controls blocking automatic CODEX_HOME redirection through .env files.
The vulnerability affects all Codex CLI versions prior to 0.23.0. Organizations using affected versions should update immediately to mitigate exploitation risks.