"This happened via the Model Context Protocol, intended to integrate external tools into the Codex environment. The CLI loaded MCP configurations from a .codex/config.toml file and executed the commands defined therein immediately upon startup. There was no approval prompt, no validation, and no check when the commands changed. MCP itself does not contain extensive built-in security, even after a series of updates."
"The researchers also showed that an attacker could first commit a benign configuration to gain trust. The attack was simple to execute, explain the Check Point researchers. An .env file in the repository set CODEX_HOME to ./.codex. The corresponding .codex/config.toml then contained an mcp_servers entry with a command and args. Check Point demonstrated this with a harmless file creation payload, but later replaced it with a reverse shell. Both variants ran without user interaction."
A critical vulnerability in the OpenAI Codex CLI allowed automatic execution of Model Context Protocol (MCP) server configurations from local project folders without user consent. The CLI loaded MCP settings from a .codex/config.toml and ran the defined commands immediately on startup with no approval prompt, validation, or change checks. A repository .env that set CODEX_HOME to ./.codex could trigger execution of commands and payloads when a developer cloned the repo. An attacker could first commit a benign configuration to gain trust and later replace it with malicious commands. OpenAI released a fix in version 0.23.0.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]