AI description
CVE-2025-59532 describes a sandbox bypass vulnerability affecting OpenAI's Codex CLI, specifically in versions 0.2.0 through 0.38.0. The vulnerability stems from a flaw in the sandbox configuration logic, where the Codex CLI could interpret a model-generated current working directory (cwd) as the sandbox's writable root. This could occur even if the specified path was outside the folder where the user initiated their session. This misinterpretation allowed the intended workspace boundary to be bypassed, potentially enabling arbitrary file writes and command execution with the permissions of the Codex process. The issue did not, however, impact the network-disabled sandbox restriction. A patch for this vulnerability has been released in Codex CLI version 0.39.0 and for the Codex IDE extension in version 0.4.12.
- Description
- Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue.
- Source
- security-advisories@github.com
- NVD status
- Deferred
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-20
- Hype score
- Not currently trending
Cohere Terrarium (CVE-2026-5752) and OpenAI Codex CLI (CVE-2025-59532): a cross-CVE analysis of AI code sandbox escapes https://t.co/IsguXmPWs1
@Dinosn
25 Apr 2026
1311 Impressions
0 Retweets
7 Likes
2 Bookmarks
0 Replies
0 Quotes
Cohere Terrarium (CVE-2026-5752) and OpenAI Codex CLI (CVE-2025-59532): a cross-CVE analysis of AI code sandbox escapes https://t.co/shzcJdqxQK
@_r_netsec
24 Apr 2026
574 Impressions
3 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
🟧 CVE-2025-59532, CVSS: 8.6 (High) Codex CLI version 0.2.0 to 0.38.0, OpenAI. A vulnerability in sandbox configuration logic. Affected versions allow arbitrary file writes and command execution due to improper handling of the current working directory. Users should update
@UjlakiMarci
23 Sept 2025
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[CVE-2025-59532: HIGH] Update Codex CLI to 0.39.0 to fix a bug allowing arbitrary file writes and command execution. Update Codex IDE extension to 0.4.12 for the sandbox issue patch. #cybersecurity#cve,CVE-2025-59532,#cybersecurity https://t.co/oPysUf1q2x https://t.co/YtqkzjkKJH
@CveFindCom
22 Sept 2025
162 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes