Multiple attack vectors: For this flaw to be exploited, the victim needs to clone the repository and run Codex on it and an attacker needs to have commit access to the repo or have their malicious pull request accepted.”Compromised templates, starter repos, or popular open-source projects can weaponize many downstream consumers with a single commit,” the researchers warned.Furthermore, CI tools or build agents automatically run Codex on checked-out code, the compromise could propagate from a developer workstation into build artifacts and downstream deployments of the code.Development machines often contain API tokens for various cloud services, as well as SSH keys and proprietary source code, all of which can be exfiltrated and abused to move laterally to additional assets.”This breaks the CLI’s expected security boundary: project-supplied files become trusted execution material, and that implicit trust can be exploited with minimal effort and no user interaction beyond standard development workflow,” the researchers found.While Codex CLI now blocks project-local redirection of the CODEX_HOME environment variable, the incident highlights that such security oversights can exist even in agents created by the leading AI companies. Last week, researchers warned about a flaw that allows instructions from a cloned repository to escape the confines of the current workspace in Google’s new AI-powered Antigravity IDE tool. Earlier this month another team of researchers showed how rogue MCP servers can take over Cursor’s built-in browser and potentially fully compromise the developer machine.Organizations that allow their developers to work with AI coding agents and IDE tools should have policies in place regarding the level of automation these tools are configured with, as they can easily become powerful backdoors in case of vulnerabilities or misconfigurations. Security experts have repeatedly cautioned against using the fully automated modes that don’t require human review and approval of the execution steps.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4100632/rce-flaw-in-openais-codex-cli-highlights-new-risks-to-dev-environments.html
