Simon Carter
Security & Governance

Codex CLI 0.137.0: Git Hook Blocking, WebSocket Hardening, and Windows Sandbox Setup

Codex CLI 0.137.0 closes three command-safety gaps and adds an alpha Windows elevated sandbox provisioning path for admins.

OpenAI Codex CLI GitHub repository social preview

Codex CLI v0.137.0 is a security-focused release. It does not add headline features or expand what the agent can do. Instead it closes three specific attack surfaces that existed in earlier versions, tightens sandbox enforcement, and gives Windows administrators a proper provisioning path for the first time. If you run Codex CLI in any context beyond a single-user personal machine, this update is worth paying attention to.

The three command-safety fixes

The headline changes centre on PRs #24954, #24946, and #24947, each targeting a distinct execution surface.

Git hook and helper injection via /diff

When you run /diff in Codex CLI, the tool invokes Git under the hood. In earlier versions, that invocation could pick up repository-provided Git helpers or hooks, meaning a malicious or compromised repository could bundle its own scripts and have Codex run them on your machine. This is a classic supply-chain vector: you clone a repo, run a seemingly harmless diff operation, and something executes that you never approved.

Version 0.137.0 prevents /diff from invoking any repository-provided Git helpers or hooks. Codex now controls what Git actually runs, rather than inheriting whatever the repository has configured.

If you regularly work with third-party repositories, open-source projects, or any code you did not write yourself, this is the fix that matters most.

PowerShell parser execution on non-Windows hosts

This one is subtle but important. Earlier versions of Codex CLI could invoke PowerShell parsing logic on Linux and macOS, platforms where there is no legitimate reason to do so. Removing this closes a cross-platform code execution surface. An adversarial input crafted to exploit PowerShell’s parser would have had no traction on a Mac running an agent that simply refused to engage PowerShell at all.

The fix is straightforward: PowerShell parser execution is now restricted to Windows hosts only.

Browser-origin WebSocket rejection

Codex CLI includes a local exec-server that accepts WebSocket connections for remote control. The problem is that a browser-based attack page, open in any tab on your machine, could attempt to open a WebSocket connection to that locally-running server and issue commands through it. This is a standard cross-origin request forgery pattern applied to local software.

The fix rejects WebSocket handshakes that originate from browser contexts. The exec-server will no longer accept connections from web pages, only from legitimate Codex tooling.

What this means for you

If you are a developer using Codex CLI day-to-day, the Git hook fix is the one with the most practical impact. Running /diff on unfamiliar repositories carries real risk without it. The browser WebSocket fix is also meaningful if you tend to keep many tabs open while working locally.

If you are on Linux or macOS, the PowerShell parser restriction removes an execution surface you probably did not know existed. You do not need to do anything; updating to 0.137.0 is sufficient.

If you are a Windows administrator trying to provision Codex CLI in a managed environment, this release adds an alpha codex sandbox setup --elevated path. This is specifically for setting up the Windows sandbox with elevated permissions, something that previously required workarounds. It is labelled alpha, so treat it as early access rather than production-ready, but it signals that proper Windows sandbox support is being built out deliberately.

Additional hardening in this release

Beyond the three headline fixes, the release includes several supporting improvements:

  • Sandbox cleanup: sandboxed commands now clean up more reliably after interruptions or denied network attempts on Windows, and deny-read rules remain enforced across safe-command and approval-bypass paths.
  • Remote WebSocket token security: remote-control WebSocket connections now use short-lived server tokens rather than long-lived ChatGPT access tokens. If a token is ever exposed in a session, the blast radius is significantly smaller.
  • Bedrock auth fallback: AWS Bedrock authentication now falls back to AWS_REGION and AWS_DEFAULT_REGION environment variables, improving compatibility with standard AWS credential setups without extra configuration.

A note on the release cadence

Codex CLI is moving fast. Version 0.137.0 reflects an aggressive shipping pace that has taken the project from a Node.js/TypeScript codebase in mid-2025 to a predominantly Rust implementation. Security hardening releases like this one are a natural consequence of that pace: features ship, attack surfaces get identified, and patches follow in subsequent versions.

The fact that this release is almost entirely security-focused, rather than a mix of features and fixes, suggests the team is taking the threat model seriously. A local coding agent that can read, modify, and execute code has a large potential attack surface. Blocking Git hooks, restricting parser execution, and rejecting browser-origin WebSocket connections are not glamorous changes, but they are exactly the right ones to make.

Update now

You can update via your standard package manager or by pulling the latest release from the openai/codex GitHub repository. The full changelog is available on the OpenAI developer portal.