newtro/mcp-codex-bridge
highMCP server wrapping the Codex CLI as four callable tools (status/ask/review/implement) for Claude Code. Cross-provider adversarial audits using your existing ChatGPT subscription auth.
MCP server (purpose undetermined)
71 context_files: z
72 .array(z.string())
73 .optional()
74 .describe(
75 'Optional list of files to include as context. Each file is read and prepended to the prompt; files over 64 KiB are truncated.',
76 ),// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The codex_ask tool accepts a context_files parameter that is an array of arbitrary file paths. The description states each file is read and included in the prompt. There is no validation to restrict paths to a specific directory or to prevent path traversal (e.g., using '../' or absolute paths like '/etc/passwd'). This allows reading any file the server process has access to.
ImpactAn attacker (via a compromised LLM or direct network access) can read arbitrary files on the server, including sensitive data like credentials, SSH keys, configuration files, or source code.
FixValidate that all paths in context_files are within an allowed directory (e.g., the working_directory or a project root). Resolve paths to absolute and check they start with the allowed prefix. Alternatively, restrict to files explicitly listed in a whitelist.
123 working_directory: z
124 .string()
125 .min(1)
126 .describe(
127 "Absolute path of the repository Codex should modify. Required because Codex must know which checkout to write into.",
128 ),// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The codex_implement tool accepts a working_directory parameter that is an arbitrary absolute path. The tool then runs Codex, which can write files within that directory. There is no validation to ensure the path is within an allowed scope. An attacker could specify a sensitive directory (e.g., /etc, /home/user/.ssh) and have Codex write malicious files there.
ImpactAn attacker can write arbitrary files to any location on the filesystem that the server process has write access to, potentially leading to code execution (e.g., overwriting scripts, adding SSH keys, modifying system configuration).
FixRestrict working_directory to a predefined set of allowed directories (e.g., a projects folder). Validate that the resolved absolute path starts with an allowed prefix. Reject paths that are not within the allowed scope.
66 working_directory: z
67 .string()
68 .optional()
69 .describe('Optional cwd. If omitted, Codex runs in the host process cwd.'),// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The codex_ask and codex_review tools accept an optional working_directory parameter with no validation. While these tools are described as read-only, an attacker could set working_directory to an arbitrary path, potentially causing Codex to read files from or operate in unintended directories. Although the immediate impact is limited (read-only), it could be combined with other vulnerabilities or used for information gathering.
ImpactAn attacker could influence the working directory of Codex operations, potentially leading to unintended file access or behavior. In combination with other issues, this could escalate risk.
FixValidate that working_directory is within an allowed set of directories, similar to the implement tool. At minimum, resolve to absolute path and check against a whitelist.