Exposing the Codex App Server Without Authentication May Allow Remote Command Execution

Keypoints

• Codex app-server provides a JSON-RPC interface and websocket endpoint intended to connect Codex to external clients and tools, exposing operational APIs including command/exec.
• Official documentation frames the component for local or trusted environments, showing examples using stdio or loopback websocket (ws://127.0.0.1:4500).
• Source code and runtime warnings acknowledge the network exposure risks and advise authentication when bound to non-local addresses, but these warnings are not enforced technically.
• The server can be launched bound to 0.0.0.0 without authentication; in this configuration a remote client can complete the websocket handshake and access the full API set, including command/exec.
• Sandboxing described for executed processes does not protect the control interface; experiments confirmed arbitrary commands (including tools like nmap) could be executed and returned output under default configuration.
• Mitigations recommended: restrict use to local/trusted contexts, avoid binding to public interfaces, use encrypted/protected channels for remote access, and always enable authentication (e.g., –ws-auth); product hardening to prevent non-local listeners without auth is advised.