@openai/codex is vulnerable to Protection Mechanism Failure
63
Medium Risk
On Windows, Codex decides whether a shell command is read-only enough to run without extra approval by parsing PowerShell scripts and lowering only the end-block statements into command words that it checks against a safelist. Parameter defaults, named blocks such as begin and process, using preambles, and top-level trap handlers are not represented in that lowered list, so executable code placed in those regions is never inspected. An attacker who can influence a proposed command can hide side-effecting statements in those uninspected regions so a destructive script is classified as safe and auto-approved without user confirmation. The fix makes the classifier fail closed by rejecting any PowerShell script that contains these uninspected AST regions.
You are affected if you are using a version that falls within the vulnerable range and run Codex on Windows where PowerShell commands can be auto-approved by the command safety classifier.
@openai/codex is vulnerable to Protection Mechanism Failure in versions 0.72.0 - 0.142.1.
Upgrade the @openai/codex library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant