The Wire · Showcase
CODEX PATCHES CRITICAL XML PARSER VULNERABILITIES
By RepoJournal · Filed · About OpenAI
Two denial-of-service flaws in quick-xml forced an emergency upgrade path that leaves the codebase split between safe and legacy versions.
Codex shipped a fix for RUSTSEC-2026-0194 and RUSTSEC-2026-0195, both DoS vulnerabilities in quick-xml 0.38.4 that caused cargo-deny to fail on main [1]. The team upgraded to quick-xml 0.41.0 where possible, but had to keep a 0.39.4 copy in place because plist and wayland-scanner haven't adopted the latest version yet [1]. The good news: neither retained path accepts attacker-controlled XML, so the vulnerability surface is contained. In parallel, the team shipped three feature-tier changes: configurable multi-agent mode hint text for deployments that need stable delegation policies regardless of reasoning effort [2], structured JSON telemetry for direct tool-call timing to let app servers measure dispatch and execution phases separately [3], and a websockets fix that ignores metadata when comparing incremental requests to the Responses API, improving success rates [4].
Action items
- → Verify quick-xml 0.41.0 adoption in your dependency tree; if you're on plist or wayland-scanner, confirm no blockers before upgrading openai/codex [immediate]
- → If running multi-agent V2, test the new multi_agent_mode_hint_text configuration in staging openai/codex [plan]
- → For app-server deployments consuming structured logs, enable the new tool-call timing telemetry and validate parser compatibility openai/codex [plan]
References
- [1] fix: address quick-xml security advisories (#30941) openai/codex
- [2] [codex] Add configurable multi-agent mode hint text ↗ openai/codex
- [3] telemetry: log structured direct tool-call timing ↗ openai/codex
- [4] fix(websockets) ignore metadata for incremental requests ↗ openai/codex
FAQ
- What changed in OpenAI on July 3, 2026?
- Two denial-of-service flaws in quick-xml forced an emergency upgrade path that leaves the codebase split between safe and legacy versions.
- What should OpenAI teams do about it?
- Verify quick-xml 0.41.0 adoption in your dependency tree; if you're on plist or wayland-scanner, confirm no blockers before upgrading • If running multi-agent V2, test the new multi_agent_mode_hint_text configuration in staging • For app-server deployments consuming structured logs, enable the new tool-call timing telemetry and validate parser compatibility
- Which OpenAI repositories shipped on July 3, 2026?
- openai/codex