-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability exists because the Codex CLI was using a single cwd (current working directory) for two different purposes: setting the working directory for a command generated by an AI model, and defining the security boundaries of the sandbox in which that command runs. An attacker could craft a model response that specifies a cwd outside of the intended project directory (e.g., / or /tmp).
The vulnerable functions, primarily spawn_command_under_seatbelt for macOS and spawn_command_under_linux_sandbox for Linux, would then use this malicious cwd to configure the sandbox policy. Specifically, functions like create_seatbelt_command_args would call sandbox_policy.get_writable_roots_with_cwd(cwd), effectively making the malicious path a writable root for the sandbox. This allowed the sandboxed process to write files and execute commands anywhere the user running the Codex CLI had permissions, bypassing the intended sandbox restrictions.
The patch addresses this by introducing a separation between the command's working directory (command_cwd) and the directory used to enforce the sandbox policy (sandbox_policy_cwd). The sandbox_policy_cwd is now correctly and safely derived from the user's session directory, ensuring that the sandbox boundaries are always enforced correctly, regardless of the cwd specified by the model.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @openai/codex | npm | >= 0.2.0, <= 0.38.0 | 0.39.0 |
Ongoing coverage of React2Shell