Intel

AIKIDO-2026-576243

@openai/codex is vulnerable to Protection Mechanism Failure

Protection Mechanism Failure Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

JS@openai/codex
0.1.4160940 - 0.142.1
Fixed in 0.142.2
Are you affected? Scan for Free

TL;DR

On Windows, @openai/codex uses a PowerShell safe-command classifier to decide whether a command is read-only enough to run without asking the user for approval. The classifier parses the script but only lowers the statements in the end block into argv-like words that it checks against a safe-command allowlist. Code placed in parameter defaults, begin, process, or clean blocks, using preambles, or top-level trap handlers is never inspected, so a script whose end block looks read-only can still execute side-effecting commands and be auto-approved. The fix treats any script containing those un-lowered AST regions as unsupported and routes it through the normal approval path.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run Codex on Windows.

Background info

@openai/codex is vulnerable to Protection Mechanism Failure in versions 0.1.4160940 - 0.142.1.

How to fix this

Upgrade the @openai/codex library to the patch version.