Security researchers are warning about a max severity vulnerability in Google Gemini CLI that could allow remote code execution (RCE) in environments where the tool processes untrusted inputs.
The issue was disclosed by Novee Security researchers and affects the @google/gemini-cli package and its associated GitHub Action, widely used in CI/CD workflows.
“Gemini CLI (@google/gemini-cli) and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions,” reads a GitHub advisory issued on the flaw.
Google acknowledged the flaw and thanked security researchers Elad Meged from Novee Security and Dan Lisichkin from Pillar Security for reporting the issue through its Vulnerability Rewards Program.
The issue was fixed in @google/gemini-cli versions 0.39.1 and 0.40.0-preview.3. A run-gemini-cli fix was also released in version 0.1.22.
Overtrusting workspace configurations
The problem lay in how the CLI handled workspace trust and command execution in automated, non-interactive environments.“In affected versions, Gemini CLI running in CI environments automatically trusted workspace folders for the purpose of loading configurations and environment variables,” the advisory said.
This could have been easily exploited by attackers by injecting their own malicious configurations into the trusted workspace.
“The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,” Novee researcher, Elad Meged, said in a blog post. “This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized.”
The impact of the flaw was limited to workflows using Gemini CLI in headless mode, without an interactive interface.
While a CVE ID has not been assigned to the flaw yet, Meged said Google assessed a severity rating of 10.0, the maximum on the CVSS scale. The maximum severity rating likely comes from the exploit requiring low complexity, minimal privileges, and little to no user interaction.
Google did not immediately respond to CSO’s request for comments.
The flaw was, however, categorized under CWE-20, CWE-77, CWE-78, and CWE-200, which roughly refer to improper input validation, command injection, and information disclosure weaknesses.
The behavior is now fixed
Google has addressed the issue by removing implicit workspace trust in headless environments and enforcing stricter tool controls, effectively changing how Gemini CLI behaves in CI/CD pipelines.
The patched versions (0.39.1 and 0.40.0-preview.3) now require explicit trust decisions before loading workspace configurations, aligning non-interactive execution with the same safeguards expected in interactive use.
Additionally, the fix closed a critical gap in “–yolo” mode by ensuring that tool allowlisting is actually enforced, preventing loosely scoped permissions from turning into unrestricted command execution.
Previously, allowlisting could be bypassed, letting CLI run commands outside the intended restrictions.
Google has also brought in a broader ecosystem change. The run-gemini-cli GitHub Action (patched in v0.1.22) now automatically pulls and executes the latest version of the CLI. Workflows that pin a specific gemni-cli-version are advised to upgrade to a patched release and review their existing Gemini CLI configurations to ensure they don’t rely on unsafe defaults.
No Responses