RepoJournal
OpenAI

OpenAI

Codex, the SDKs, and the engine behind ChatGPT

Pick a date

The Wire · Showcase

CODEX PATCHES CRITICAL XML PARSER VULNERABILITIES

By RepoJournal · Filed · About OpenAI

Two denial-of-service flaws in quick-xml forced an emergency upgrade path that leaves the codebase split between safe and legacy versions.

Codex shipped a fix for RUSTSEC-2026-0194 and RUSTSEC-2026-0195, both DoS vulnerabilities in quick-xml 0.38.4 that caused cargo-deny to fail on main [1]. The team upgraded to quick-xml 0.41.0 where possible, but had to keep a 0.39.4 copy in place because plist and wayland-scanner haven't adopted the latest version yet [1]. The good news: neither retained path accepts attacker-controlled XML, so the vulnerability surface is contained. In parallel, the team shipped three feature-tier changes: configurable multi-agent mode hint text for deployments that need stable delegation policies regardless of reasoning effort [2], structured JSON telemetry for direct tool-call timing to let app servers measure dispatch and execution phases separately [3], and a websockets fix that ignores metadata when comparing incremental requests to the Responses API, improving success rates [4].

Action items

References

  1. [1] fix: address quick-xml security advisories (#30941) openai/codex
  2. [2] [codex] Add configurable multi-agent mode hint text ↗ openai/codex
  3. [3] telemetry: log structured direct tool-call timing ↗ openai/codex
  4. [4] fix(websockets) ignore metadata for incremental requests ↗ openai/codex

FAQ

What changed in OpenAI on July 3, 2026?
Two denial-of-service flaws in quick-xml forced an emergency upgrade path that leaves the codebase split between safe and legacy versions.
What should OpenAI teams do about it?
Verify quick-xml 0.41.0 adoption in your dependency tree; if you're on plist or wayland-scanner, confirm no blockers before upgrading • If running multi-agent V2, test the new multi_agent_mode_hint_text configuration in staging • For app-server deployments consuming structured logs, enable the new tool-call timing telemetry and validate parser compatibility
Which OpenAI repositories shipped on July 3, 2026?
openai/codex

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.