Critical Flaw in OpenAI Coding Tool Exposes Developers to Remote Attacks

Researchers recently discovered a serious security flaw in OpenAI’s coding-agent tool, Codex CLI. This tool — used by developers locally — can read, change and execute code on a developer’s machine. The vulnerability stemmed from its behavior: Codex CLI automatically loaded and executed commands defined in a project’s local configuration files without asking the user for permission first. Because these command definitions were implicitly trusted, an attacker who managed to commit or merge a manipulated configuration file into a project repository could secretly trigger the execution of malicious commands on every developer’s machine using that project.

Security researchers showed that by exploiting this flaw, attackers could deploy a reverse shell for persistent remote access, silently execute arbitrary commands, steal credentials or secrets, escalate privileges, and even perform supply-chain attacks — infecting not only one machine but many downstream systems if build or continuous-integration pipelines used the compromised code. This effectively transformed normal developer workflows into a stealthy backdoor, potentially compromising entire developer environments and downstream builds.

The vulnerability — tracked as CVE-2025-61260 — was responsibly disclosed to OpenAI, and was patched in a subsequent release of Codex CLI (version 0.23.0). The patch changed the behavior so that project-local configurations are no longer implicitly executed, closing the automatic-execution pathway. Still, the flaw highlights a broader risk: AI-powered coding agents that run programmatically can introduce dangerous attack surfaces, especially in collaborative or supply-chain contexts.

This incident serves as a stark warning to developers and organizations: using AI-driven coding tools comes with security trade-offs. Automated convenience should not replace careful review and human oversight. Until tools and workflows are hardened, developers should treat AI agents with caution — especially when working on shared codebases or open-source projects where external contributions can slip malicious configuration files into repositories