N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-w5fx-fh39-j5rw

EPSS Score

CWE

CWE-20

Published

9/19/2025

Updated

9/19/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-w5fx-fh39-j5rw

GHSA-w5fx-fh39-j5rw: Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session.

This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction.

Remediation We released a patch in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced.

If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-w5fx-fh39-j5rw

EPSS Score

CWE

CWE-20

Published

9/19/2025

Updated

9/19/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@openai/codex	npm	>= 0.2.0, <= 0.38.0	0.39.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the Codex CLI was using a single cwd (current working directory) for two different purposes: setting the working directory for a command generated by an AI model, and defining the security boundaries of the sandbox in which that command runs. An attacker could craft a model response that specifies a cwd outside of the intended project directory (e.g., / or /tmp).

The vulnerable functions, primarily spawn_command_under_seatbelt for macOS and spawn_command_under_linux_sandbox for Linux, would then use this malicious cwd to configure the sandbox policy. Specifically, functions like create_seatbelt_command_args would call sandbox_policy.get_writable_roots_with_cwd(cwd), effectively making the malicious path a writable root for the sandbox. This allowed the sandboxed process to write files and execute commands anywhere the user running the Codex CLI had permissions, bypassing the intended sandbox restrictions.

The patch addresses this by introducing a separation between the command's working directory (command_cwd) and the directory used to enforce the sandbox policy (sandbox_policy_cwd). The sandbox_policy_cwd is now correctly and safely derived from the user's session directory, ensuring that the sandbox boundaries are always enforced correctly, regardless of the cwd specified by the model.

Vulnerable functions

run_command_under_sandbox

codex-rs/cli/src/debug_sandbox.rs

The function `run_command_under_sandbox` was vulnerable because it used a single `cwd` variable, derived from the environment, for both the command's working directory and the sandbox policy. This allowed a model-generated `cwd` to be treated as the root for the sandbox, bypassing the intended workspace boundary.

process_exec_tool_call

codex-rs/core/src/exec.rs

This function orchestrates the execution of commands within a sandbox. The vulnerability lies in the fact that it was using the `cwd` from `ExecParams` (which could be influenced by the model) and passing it as the sole `cwd` to the underlying sandboxing functions (`spawn_command_under_seatbelt` and `spawn_command_under_linux_sandbox`). This meant the sandbox policy was being based on a potentially malicious path.

spawn_command_under_linux_sandbox

codex-rs/core/src/landlock.rs

This function was responsible for creating the sandboxed environment on Linux. It was vulnerable because it accepted a single `cwd` parameter, which was then used to both set the working directory of the command and to generate the arguments for the sandbox policy via `create_linux_sandbox_command_args`. This allowed the sandbox's restrictions to be based on a directory controlled by the model, rather than the user's session directory.

spawn_command_under_seatbelt

codex-rs/core/src/seatbelt.rs

Similar to its Linux counterpart, this function for macOS was vulnerable because it used a single `cwd` for both the command's execution and for creating the sandbox profile via `create_seatbelt_command_args`. This created a sandbox bypass vulnerability by allowing the sandbox policy to be based on a model-controlled directory.

create_seatbelt_command_args

codex-rs/core/src/seatbelt.rs

This function is where the `cwd` was directly used to determine the writable paths for the sandbox. The line `let writable_roots = sandbox_policy.get_writable_roots_with_cwd(cwd);` shows that the `cwd`, which could be controlled by the model, was used to define which directories the sandboxed process could write to. This is the core of the sandbox bypass.

WAF Protection Rules

WAF Rule

*u* to * *u* in t** s*n**ox *on*i*ur*tion lo*i*, *o**x *LI *oul* tr**t * mo**l-**n*r*t** `*w*` *s t** s*n**ox’s writ**l* root, in*lu*in* p*t*s outsi** o* t** *ol**r w**r* t** us*r st*rt** t**ir s*ssion. T*is lo*i* *yp*ss** t** int*n*** worksp*** *ou

Reasoning

T** vuln*r**ility *xists ****us* t** *o**x *LI w*s usin* * sin*l* `*w*` (*urr*nt workin* *ir**tory) *or two *i***r*nt purpos*s: s*ttin* t** workin* *ir**tory *or * *omm*n* **n*r*t** *y *n *I mo**l, *n* ***inin* t** s**urity *oun**ri*s o* t** s*n**ox

N/A

Basic Information

Concerned about an active attack path?

GHSA-w5fx-fh39-j5rw: Codex has sandbox bypass due to bug in path configuration logic

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI