External risk intelligence

OpenAI Codex CLI Code Execution via Malicious MCP Configuration.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-61260

The vulnerability requires a user to manually execute a command within a specific local repository containing malicious configuration files. It is a developer-tooling issue that is not internet-facing, does not provide a remote network service, and requires local interaction by a user to trigger.

Code Injection

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the OpenAI Codex command-line tool allows for code execution if a user runs the tool within a compromised code repository. This occurs because the tool automatically loads configuration files that can contain malicious commands, which then run without further user interaction. The main concern is to confirm if this specific developer tool is in use and if there is any exposure.

  • Malicious code files can run automatically.
  • Developer tools can be a high-risk attack vector.
  • Confirm tool use and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could gain code execution by tricking a user into running a command within a repository containing a malicious configuration file. This configuration file, which the tool automatically loads, can contain arbitrary commands that run without further user interaction.

  • User runs a specific command.
  • Malicious MCP configuration file is loaded.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

When a user runs the `codex` command in a repository containing a malicious MCP configuration file, arbitrary commands could be executed. This occurs because the tool automatically loads project-local configuration files without user confirmation.

  • Code execution on a user's machine.
  • Malicious configuration files loaded automatically.
  • Unauthorized command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects users of OpenAI Codex CLI who interact with potentially malicious code repositories. Real-world ownership likely falls to development teams or platform teams responsible for developer tooling, with support from security teams for risk assessment. The first practical step is to identify any instances of the affected CLI, confirm if developers are interacting with untrusted or compromised repositories, and then plan remediation based on the potential for code execution during development workflows.

  • Developer or platform team ownership.
  • Verify CLI usage and repo interaction.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenAI Codex CLI?

OpenAI Codex CLI is a command-line interface tool used by developers to interact with OpenAI's coding models directly from their terminals. It helps automate coding tasks, generate suggestions, and manage project workflows. The tool is designed to work within local development environments, often reading project-specific files to better understand the codebase and provide context-aware assistance during software development.

How does CVE-2025-61260 lead to code execution?

This vulnerability is classified as CWE-94, which involves the improper control of generation of code. In this specific case, the OpenAI Codex CLI automatically processes local configuration files like .codex/config.toml without verifying their contents. Because the tool executes commands embedded within these files by default, a malicious configuration file can trick the software into running arbitrary, unauthorized commands on the user's system.

Do I need to be targeted for this to trigger?

The vulnerability requires a user to manually run the 'codex' command inside a specific directory that already contains a malicious MCP configuration file. It does not trigger automatically in the background or through general internet browsing. Merely having the tool installed is not enough; the bug only activates when a developer initiates a command within a directory that has been specifically prepared or compromised by an attacker.

Why should I care about this vulnerability?

You should care if you have developers using this tool, as it can allow unauthorized code execution on their machines. According to Halo Surface Signal, this is not an internet-facing network service; instead, it is a developer-tooling issue. The risk is highest for teams that frequently clone or work within untrusted, public, or shared code repositories where malicious configuration files could be hidden.

What are the first steps to address this?

Start by identifying which developers or systems are using OpenAI Codex CLI v0.23.0 or earlier. Once identified, ensure your team is aware of the risks associated with running CLI commands in repositories from untrusted sources. Review your internal development policies regarding the use of such tools and prioritize updating the software once a fix is available, while monitoring for any suspicious activity in development environments.

References