CVE-2025-59532: 
JavaScript vulnerability analysis and mitigation

A sandbox bypass vulnerability (CVE-2025-59532) was discovered in OpenAI's Codex CLI versions 0.2.0 through 0.38.0 and Codex IDE Extension (VS Code) versions up to 0.4.11. The vulnerability was discovered in September 2025 and allows attackers to bypass sandbox boundaries due to a bug in the path configuration logic (GitHub Advisory).

The vulnerability stems from a bug in the sandbox configuration logic where Codex CLI could treat a model-generated current working directory (cwd) as the sandbox's writable root, including paths outside of the folder where the user started their session. This logic flaw bypassed the intended workspace boundary restrictions. The vulnerability has a CVSS v4 score of 8.6 (High) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability enables arbitrary file writes and command execution wherever the Codex process has permissions, though it did not impact the network-disabled sandbox restriction. This could potentially allow attackers to execute commands and modify files outside the intended sandbox boundaries (GitHub Advisory).

The vulnerability has been patched in Codex CLI version 0.39.0 and Codex IDE Extension version 0.4.12. The fix canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, not the one generated by the model. Users running affected versions should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced (GitHub Advisory).