CVE-2025-61260 - OpenAI Codex CLI Project-Local Command Injection
Category:Threat Alerts
CVE-2025-61260 affects OpenAI Codex CLI and allows remote code execution via project-local MCP configuration files automatically loaded at runtime, mapped to MITRE ATT&CK T1195 (Supply Chain Compromise) and T1203 (Exploitation for Client Execution). When a repository includes a .env file that sets CODEX_HOME=./.codex and a ./.codex/config.toml with mcp_servers entries, vulnerable versions of codex treated those project-local definitions as trusted execution material. Simply running codex inside such a repo caused the CLI to parse mcp_servers.*.command entries and immediately execute the specified commands without any interactive approval or re-validation if the config later changed. This behavior turns ordinary repo files into a supply chain execution vector: any attacker with commit or pull request access can land a benign-looking .env and config.toml pair, then later swap in reverse shell payloads or data-harvesting commands. Developers who clone the repo and invoke codex in their normal workflow have arbitrary commands executed in their context, potentially exposing SSH keys, cloud tokens, and source code or compromising CI agents that integrate Codex CLI. The trust model binds to the location of CODEX_HOME, not the content, allowing stealthy post-merge payload changes that still auto-execute. For organizations, the business impact includes potential compromise of developer endpoints and build infrastructure, which can cascade into source code theft, CI/CD pipeline hijacking, and downstream supply chain compromise of customers and partners. Because the attack rides on standard dev workflows and uses first-party automation features, detection through traditional endpoint or network monitoring may lag behind real exploitation, increasing the risk of long dwell times. OpenAI released Codex CLI version 0.23.0 on August 20, 2025, blocking project-local redirection of CODEX_HOME and closing the automatic execution path. All users should upgrade to 0.23.0 or later and audit repositories for suspicious .env and ./.codex/config.toml patterns. Security teams should treat codex integration as part of their secure development lifecycle, reviewing tool configurations, limiting which repos may use MCP integrations, and monitoring for anomalous codex invocations or outbound connections initiated shortly after codex startup.
CORTEX Protocol Intelligence Assessment
Business Impact: CVE-2025-61260 enables silent command execution on developer machines and possibly CI agents via weaponized project configurations, putting intellectual property, credentials, and build artifacts at risk. Successful exploitation can lead to source code theft, software supply chain compromise, and reputational damage for organizations that ship code built in compromised environments. Technical Context: The vulnerability reflects T1195 supply chain compromise and T1203 exploitation for client execution, where project-local .env and MCP config files are implicitly trusted and auto-executed by Codex CLI. By exploiting the CODEX_HOME redirection behavior, attackers can persist stealthy backdoors that trigger on normal codex usage until environments are patched and repos are scrubbed of malicious configuration.
Strategic Intelligence Guidance
- Upgrade OpenAI Codex CLI to version 0.23.0 or later across all developer endpoints and CI environments, and prohibit use of older versions through tooling and policy.
- Scan repositories for .env files that set CODEX_HOME to project-local paths and for ./.codex/config.toml files containing unexpected or unreviewed mcp_servers command definitions.
- Limit who can introduce Codex MCP configurations via code review and protect default project templates or starter repos from unauthorized modifications.
- Integrate Codex CLI usage into secure development lifecycle practices, including logging codex invocations, monitoring for anomalous outbound connections, and treating AI tooling configs as high-sensitivity assets.
CVEs
Vendors
Threats
Targets
Intelligence Source: CVE-2025-61260 - OpenAI Codex CLI Project-Local Command Injection | Dec 2, 2025