N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59532

GHSA ID

GHSA-w5fx-fh39-j5rw

EPSS Score

0.3157%

CWE

CWE-20

Published

9/19/2025

Updated

9/22/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59532

CVE-2025-59532: Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session.

This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction.

Remediation We released a patch in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced.

If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.

Thank you to Tzanko Matev (Codetracer) for reporting the issue!

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59532

GHSA ID

GHSA-w5fx-fh39-j5rw

EPSS Score

0.3157%

CWE

CWE-20

Published

9/19/2025

Updated

9/22/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@openai/codex	npm	>= 0.2.0, <= 0.38.0	0.39.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in Codex CLI was a sandbox bypass caused by improper handling of the current working directory (cwd). The core issue was that the cwd provided by a language model could be used to define the root of the sandbox's writable area. This allowed a malicious model output to specify a cwd outside of the user's intended workspace, effectively bypassing the sandbox and enabling arbitrary file writes and command execution on the user's machine.

The patch addresses this by separating the concept of the command's working directory from the sandbox's policy boundary. The key changes were made in the functions responsible for spawning sandboxed processes (spawn_command_under_seatbelt for macOS and spawn_command_under_linux_sandbox for Linux) and the functions that call them.

The analysis of the commit 8595237505a1e0faabc2af3db805b66ce3ae182d reveals that these functions were modified to accept two separate path arguments: command_cwd and sandbox_policy_cwd. The command_cwd is the working directory for the executed command (which can be specified by the model), while the sandbox_policy_cwd is a trusted path based on the user's session, used to enforce the sandbox's security policy. By doing this, the sandbox's boundary is no longer determined by potentially malicious model input.

The identified vulnerable functions are the ones that were part of this flawed logic. During an exploit, these functions would be present in the call stack, with run_command_under_sandbox and process_exec_tool_call initiating the process and the spawn_command_under_* functions directly creating the misconfigured sandbox.

Vulnerable functions

codex_cli::debug_sandbox::run_command_under_sandbox

codex-rs/cli/src/debug_sandbox.rs

This function was responsible for setting up the sandbox environment. It previously used a single `cwd` for both the command's working directory and the sandbox's security policy. This `cwd` could be influenced by a model's output, allowing an attacker to specify a path outside the intended workspace, thus bypassing the sandbox.

codex_core::exec::process_exec_tool_call

codex-rs/core/src/exec.rs

This function orchestrates the execution of commands. It was modified to accept a separate `sandbox_cwd` parameter, which is used to configure the sandbox policy. Previously, it used the `cwd` from `ExecParams`, which could be controlled by the model, to set the sandbox boundary. This change ensures the sandbox policy is based on a trusted path, not a potentially malicious one from the model.

codex_core::seatbelt::spawn_command_under_seatbelt

codex-rs/core/src/seatbelt.rs

This function, specific to macOS, is responsible for spawning a process within a seatbelt sandbox. It was vulnerable because it used a single `cwd` parameter for both the command's execution directory and for defining the sandbox's writable paths. An attacker could provide a path outside the intended workspace to gain write access to arbitrary files.

codex_core::landlock::spawn_command_under_linux_sandbox

codex-rs/core/src/landlock.rs

This function is the Linux equivalent of `spawn_command_under_seatbelt`. It was vulnerable for the same reason: it used a single `cwd` that could be controlled by a model's output to define the sandbox's security boundaries, allowing a sandbox escape and arbitrary file writes.

WAF Protection Rules

WAF Rule

*u* to * *u* in t** s*n**ox *on*i*ur*tion lo*i*, *o**x *LI *oul* tr**t * mo**l-**n*r*t** `*w*` *s t** s*n**ox’s writ**l* root, in*lu*in* p*t*s outsi** o* t** *ol**r w**r* t** us*r st*rt** t**ir s*ssion. T*is lo*i* *yp*ss** t** int*n*** worksp*** *ou

Reasoning

T** vuln*r**ility in *o**x *LI w*s * s*n**ox *yp*ss **us** *y improp*r **n*lin* o* t** *urr*nt workin* *ir**tory (`*w*`). T** *or* issu* w*s t**t t** `*w*` provi*** *y * l*n*u*** mo**l *oul* ** us** to ***in* t** root o* t** s*n**ox's writ**l* *r**.

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-59532: Codex has sandbox bypass due to bug in path configuration logic

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI