Overview
Google has patched a maximum-severity vulnerability (CVSS 10.0) in its Gemini CLI tooling — spanning the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow — that could allow an unprivileged remote attacker to execute arbitrary commands on host systems. Discovered by Novee Security, the flaw is particularly dangerous because it exploits the agent’s own trust model, bypassing sandbox protections before they can initialise.
Technical Analysis
The root cause lies in how Gemini CLI handled workspace trust in headless (CI) mode. Prior to the patch, any workspace folder was automatically trusted, meaning the agent would load configuration files — including environment variable definitions — from the local .gemini/ directory without explicit user consent, sandboxing, or validation.
An attacker with the ability to introduce files into the workspace (e.g., via a malicious pull request to a repository whose CI pipeline uses Gemini CLI) could plant a crafted .gemini/ configuration containing malicious environment variables. When the CI runner processed the PR, Gemini CLI would load this configuration and execute attacker-controlled commands directly on the host, entirely outside the sandbox boundary.
# Example attack path
1. Attacker submits PR containing .gemini/settings.json with malicious env vars
2. CI workflow triggers Gemini CLI in headless mode
3. CLI auto-trusts workspace, loads .gemini/ config pre-sandbox
4. Malicious payload executes on CI runner host
A secondary vulnerability existed in --yolo (auto-approve) mode: the tool ignored configured tool allowlists in ~/.gemini/settings.json and would automatically approve all tool calls — including run_shell_command — without user confirmation. This opened a direct prompt injection pathway via untrusted inputs such as GitHub Issues.
Affected versions:
@google/gemini-cli< 0.39.1 and < 0.40.0-preview.3google-github-actions/run-gemini-cli< 0.1.22
Framework Mapping
MITRE ATLAS:
- AML.T0051 (LLM Prompt Injection): The –yolo mode vector directly exploits prompt injection to trigger shell execution via untrusted issue/PR content.
- AML.T0010 (ML Supply Chain Compromise): Weaponising CI/CD pipelines through planted workspace configuration constitutes a supply chain attack on ML-integrated development workflows.
- AML.T0047 (ML-Enabled Product or Service): The vulnerability exists at the integration layer of an AI-enabled developer tool embedded in production pipelines.
OWASP LLM Top 10:
- LLM01 (Prompt Injection): Malicious content in issues/PRs drives unintended tool execution.
- LLM05 (Supply Chain Vulnerabilities): CI pipeline compromise via workspace configuration injection.
- LLM07 (Insecure Plugin Design): The
run_shell_commandtool lacked adequate invocation controls in auto-approve mode. - LLM08 (Excessive Agency): Auto-approval of all tool calls without allowlist enforcement exemplifies excessive agency.
Impact Assessment
The impact is severe for any organisation using Gemini CLI in CI pipelines to process untrusted inputs — a common pattern for PR review automation. Successful exploitation grants full code execution on the CI runner, enabling secrets theft, pipeline poisoning, and lateral movement into production environments. The lack of a CVE identifier does not diminish the severity; the CVSS 10.0 rating reflects unauthenticated, remote, zero-user-interaction exploitability.
Mitigation & Recommendations
- Patch immediately: Upgrade to
@google/gemini-cli≥0.39.1 (stable) or ≥0.40.0-preview.3 (preview), andgoogle-github-actions/run-gemini-cli≥0.1.22. - Explicit trust configuration: Set
GEMINI_TRUST_WORKSPACE: 'true'only in workflows processing trusted inputs. For untrusted inputs, follow Google’s hardening guidance. - Restrict –yolo mode: Avoid deploying auto-approve mode against any untrusted input surface. Validate that tool allowlists in
~/.gemini/settings.jsonare enforced on version 0.39.1+. - Audit CI pipelines: Review all workflows that invoke Gemini CLI, particularly those triggered by external contributors.