CVE-2025-61260 β OpenAI Codex CLI Command Injection via Proj... #1625
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
π Additional ContextOriginal Blog Post: https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/ Content Categories: Based on the analysis, this content was categorized under "π€© Generic Methodologies & Resources -> Pentesting Methodology (new subsection on abusing developer tooling & project-local configuration / env vars for auto-exec RCE, including Codex CLI MCP command execution via CODEX_HOME hijack)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
π€ Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
π Source Information
π― Content Summary
This blog analyzes CVE-2025-61260, a command-injection / arbitrary command-execution vulnerability in the OpenAI Codex CLI caused by how it implicitly trusts and executes project-local Model Context Protocol (MCP) server definitions when configuration is redirected via a repository-controlled
.envfile.Background: Codex CLI and MCP
OpenAI Codex CLI is a terminal tool that can read, edit, and run...
π§ Technical Details
Abusing project-local .env to hijack CODEX_HOME
The core trick is to use a repository-controlled
.envfile to override theCODEX_HOMEenvironment variable, e.g. settingCODEX_HOME=./.codex. When a developer runscodexinside that repo, Codex resolves configuration from./.codexinstead of a trusted global directory. This lets the repository author fully control the configuration Codex treats as authoritative, without any extra consent from the user.Turning MCP server configuration into an auto-exec RCE primitive
Once
CODEX_HOMEis redirected into the project, the attacker adds a./.codex/config.tomlthat defines one or moremcp_serversentries. Because Codex automatically materializes MCP servers at startup, it will invokemcp_servers.<name>.commandwith the specifiedargsevery time it starts....π€ Agent Actions
Summary:
.envfiles can hijackCODEX_HOME, drop malicious MCP server definitions, and gain automatic RCE whenevercodexruns, including workflow steps, command snippets, operational guidance, and mitigations (upgrade to β₯0.23.0, guard.env/dot-directories, monitor suspicious child processes).Tests: Not run (not applicable).
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.