Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN637
_____________________________________________________________________

DATE                : 24/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running codex (npm) versions prior
                                     to 0.38.0,
                     Codex IDE Extension (VS Code) versions prior
                                     to 0.39.0.

=====================================================================
https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw
_____________________________________________________________________


Sandbox bypass due to bug in path configuration logic
High
fouad-openai published GHSA-w5fx-fh39-j5rw Sep 19, 2025

Package
@openai/codex (npm)

Affected versions
0.2.0 <= 0.38.0

Patched versions
0.39.0


Codex IDE Extension (VS Code)
Affected versions
<= 0.4.11
Patched versions
0.4.12


Description

Due to a bug in the sandbox configuration logic, Codex CLI could
treat a model-generated cwd as the sandbox’s writable root,
including paths outside of the folder where the user started their
session.

This logic bypassed the intended workspace boundary and enables
arbitrary file writes and command execution where the Codex
process has permissions - this did not impact the network-disabled
sandbox restriction.


Remediation
We released a patch in Codex CLI 0.39.0 that canonicalizes and
validates that the boundary used for sandbox policy is based on
where the user started the session, and not the one generated by
the model. Users running 0.38.0 or earlier should update
immediately via their package manager or by reinstalling the
latest Codex CLI to ensure sandbox boundaries are enforced.

If using the Codex IDE extension, users should immediately update
to 0.4.12 for a fix of the sandbox issue.

Thank you to Tzanko Matev (Codetracer) for reporting the issue!


Severity
High
8.6/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
No known CVE

Weaknesses
No CWEs

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================