Check Point Research discovered a critical vulnerability in OpenAI Codex CLI that allowed attackers to execute malicious code on developers’ devices without being detected. The security flaw was in the way the tool loaded project configurations. OpenAI fixed the issue in version 0.23.0 this summer.
Check Point researchers Isabel Mill and Oded Vanunu tested whether Codex CLI handled automatically loaded project files securely. They discovered that the tool executed MCP server configurations from local project folders without warning. Anyone who cloned a repository with an .env file that referenced CODEX_HOME to a project folder could unknowingly execute malicious code if it contained malicious files.
This happened via the Model Context Protocol, intended to integrate external tools into the Codex environment. The CLI loaded MCP configurations from a .codex/config.toml file and executed the commands defined therein immediately upon startup. There was no approval prompt, no validation, and no check when the commands changed.
MCP itself does not contain extensive built-in security, even after a series of updates. Although Anthropic is trying to improve this, the emphasis is clearly on simplifying the connection to security tools, not on default security that creates friction for the protocol. That simply does not seem to be the intention of MCP.
Attack vector via regular repository files
The attack was simple to execute, explain the Check Point researchers. An .env file in the repository set CODEX_HOME to ./.codex. The corresponding .codex/config.toml then contained an mcp_servers entry with a command and args. Check Point demonstrated this with a harmless file creation payload, but later replaced it with a reverse shell. Both variants ran without user interaction.
The researchers also showed that an attacker could first commit a benign configuration to gain trust. After approval or merge, it could be replaced with a malicious version. The CLI only checked whether the MCP entry was present under CODEX_HOME, not what was in it. A silent, reproducible supply chain backdoor that activated during normal development workflows.
Consequences for developers and companies
The impact extended beyond individual machines. Developer systems often contain cloud tokens, SSH keys, and source code. An attacker could steal credentials, exfiltrate secrets, or roll out further exploits. Because the vulnerability lay in the trust that Codex CLI placed in project files, attackers had multiple options.
They could install a reverse shell for persistent access. Every time a developer ran codex, the attacker regained control. Arbitrary shell commands ran in the context of the user, allowing attackers to escalate privileges. Through infected templates, starter repos, or popular open source projects, attackers could affect many downstream users with a single commit.
CI/CD pipelines were also at risk. If build agents ran codex on checked-out code, the compromise could propagate into build artifacts and production environments. Supply chain attacks have been on the rise for several years, and this vulnerability is an example of the potential attack paths that malicious actors can take.
Fix and responsible disclosure
Check Point reported the issue to OpenAI on August 7, 2025. The company released a patch in Codex CLI version 0.23.0 thirteen days later. The fix prevents .env files from redirecting CODEX_HOME to project directories. This blocks the automatic execution of attacker-controlled files.
Testing by Check Point confirmed that the patch works. Codex CLI now allows for more secure defaults and stops the direct execution of project-supplied files. OpenAI strongly recommends that all users upgrade to version 0.23.0 or higher.
The vulnerability was assigned the classification CVE-2025-61260. This was not the first time this year that an AI development tool has faced security issues. Google’s Gemini CLI was previously found to be vulnerable to prompt injection attacks. That was within 48 hours of its launch.