{"id":"CVE-2025-54558","details":"OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag.","modified":"2026-03-14T01:48:52.819928Z","published":"2025-07-25T02:15:24.433Z","references":[{"type":"WEB","url":"https://github.com/openai/codex/compare/rust-v0.8.0...rust-v0.9.0"},{"type":"FIX","url":"https://github.com/openai/codex/commit/6cf4b96f9dbbef8a94acc1ff703eb118481514d8"},{"type":"FIX","url":"https://github.com/openai/codex/pull/1644"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openai/codex","events":[{"introduced":"0"},{"fixed":"12994d3a43532fc48ab924035f85cc12cff85fa3"},{"fixed":"6cf4b96f9dbbef8a94acc1ff703eb118481514d8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.0"}]}}],"versions":["codex-rs-121686615fd634e35f3e415896f36908cf8632f9-1-rust-v0.0.2506052203","codex-rs-132146b6d4e133d014f763a0d8dabd853f3fc0c0-1-rust-v0.0.2505061740","codex-rs-2925136536b06a324551627468d17e959afa18d4-1-rust-v0.2.0-alpha.2","codex-rs-378d773f3af95384eef51addf560df30aa9fd15f-1-rust-v0.0.2505301630","codex-rs-3a70a0bc280734d09448cb08ec05b5c44f7c798e-1-rust-v0.0.2505141337","codex-rs-45519e12f39777b65c05ed498503ddcb60beb289-1-rust-v0.0.2506030956","codex-rs-5915a59c8290765d6097caf4074aae93a85380fa-1-rust-v0.0.2505021951","codex-rs-5ee08335ac690a69035720a798df9865bc5a4278-1-rust-v0.0.2505171051","codex-rs-5fc3c3023d9f179fb416b2722d1434bac278e916-1-rust-v0.0.2506060849","codex-rs-68e94c8c08943e1d4a53bd7987e319ba7dbffb74-1-rust-v0.0.2505191609","codex-rs-6a77484c94956d5cd319da3f8500b178ec93fc90-1-rust-v0.0.2505220956","codex-rs-6a8a936f75ea44faf05ff4fab0c6a36fc970428d-1-rust-v0.0.2506261603","codex-rs-72a4c38e41bc64f5a7c8c73d52f45784cb6b7137-1-rust-v0.0.2504301219","codex-rs-79cb07bf70a9036200aa2b61b211fe47ea13184a-1-rust-v0.0.2505212314","codex-rs-7f24ec8cae83ae22e7cc306fea4844958370827d-1-rust-v0.0.2505101753","codex-rs-84eae7b1bc4e3b5420f2d6127b7c17e7a979a5b0-1-rust-v0.0.2506052135","codex-rs-8d6a8b308e7457d432564083bb2f577cd39e132b-1-rust-v0.0.2505151627","codex-rs-94c47d69a3f92257e7f9717a2044bd55786eb999-1-rust-v0.0.2505121726","codex-rs-9949f6404378db6f54a01bcadb1956e0535d4921-1-rust-v0.0.2505121520","codex-rs-aa156ceac953c3e6f3602e6eb2f61b14ac8adaf3-1-rust-v0.0.2505231205","codex-rs-ac6e1b2661320a631d80aa51bdfa8f1635e0c8fa-1-rust-v0.0.2506052246","codex-rs-b152435fb95e7f1ab197ae2cdde68ae29a7d219b-1-rust-v0.0.2505291458","codex-rs-b289c9207090b2e27494545d7b5404e063bd86f3-1-rust-v0.1.0-alpha.4","codex-rs-b5257992b06373acef8b20a4ca25ffc1b96688e2-1-rust-v0.0.2505161708","codex-rs-c74d7e13e7d8daf3a2493f6216918d5e59a38bed-1-rust-v0.0.2505191518","codex-rs-ca8e97fcbcb991e542b8689f2d4eab9d30c399d6-1-rust-v0.0.2505302325","codex-rs-cb19037ca3822e9b19b51417392f8afc046be607-1-rust-v0.0.2505141652","codex-rs-d2eee362c1c6cdc00bcb5bf1d479823ef33c143a-1-rust-v0.0.2505231137","codex-rs-d519bd8bbd1e1fd9efdc5d68cf7bebdec0dd0f28-1-rust-v0.0.2505270918","codex-rs-dfac02b343605ce61154ab2e075ac6c38f533916-1-rust-v0.0.2505291659","codex-rs-e40bc9911433bd3f942ef4604626fab5638a7a72-1-rust-v0.0.2504301327","rust-v.0.0.2504291921","rust-v.0.0.2504291926","rust-v.0.0.2504291954","rust-v.0.0.2504292006","rust-v.0.0.2504292236","rust-v0.0.2504291921","rust-v0.0.2504301132"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54558.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}