
A Branch Name as RCE: OpenAI Codex, a Shell Argument, and the GitHub Token It Held
In December 2025, BeyondTrust Phantom Labs reported a textbook OS command injection in OpenAI Codex. The injection vector was a git branch name. The payoff was a GitHub User Access Token with read and write across the user's repos. The patch covered every Codex surface — ChatGPT web, CLI, SDK, and IDE Extension. CWE-78, in a chatbot wrapper.










