CDX-PL-006: Component Path Directory Traversal - Codex CLI
Summary
- Rule ID:
CDX-PL-006 - Severity:
HIGH - Category:
Codex CLI - Normative Level:
MUST - Auto-Fix:
No - Verified On:
2026-04-01
Applicability
- Tool:
codex - Version Range:
>=0.117.0 - Spec Revision:
unspecified
Evidence Sources
Test Coverage Metadata
- Unit tests:
true - Fixture tests:
true - E2E tests:
false
Examples
The following examples demonstrate what triggers this rule and how to fix it.
Invalid
{"name": "my-plugin", "mcpServers": "./../../../etc/passwd"}
Valid
{"name": "my-plugin", "mcpServers": "./servers"}