{"id":4155,"date":"2025-07-29T19:24:03","date_gmt":"2025-07-29T19:24:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4155"},"modified":"2025-07-29T19:24:03","modified_gmt":"2025-07-29T19:24:03","slug":"google-patches-gemini-cli-tool-after-prompt-injection-flaw-uncovered","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4155","title":{"rendered":"Google patches Gemini CLI tool after prompt injection flaw uncovered"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>It\u2019s barely been out for a month and already security researchers have discovered a prompt injection vulnerability in Google\u2019s Gemini command line interface (CLI) AI agent that could be exploited to steal sensitive data such as credentials and API keys from unwary developers.<\/p>\n<p>Gemini CLI integrates Google\u2019s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (\u201crepos\u201d).<\/p>\n<p>However, within two days of its release <a href=\"https:\/\/blog.google\/technology\/developers\/introducing-gemini-cli-open-source-ai-agent\/\" target=\"_blank\" rel=\"noopener\">on June 25<\/a>, UK cloud threat detection vendor Tracebit had already <a href=\"https:\/\/tracebit.com\/blog\/code-exec-deception-gemini-ai-cli-hijack\" target=\"_blank\" rel=\"noopener\">spotted<\/a> the software\u2019s first security weaknesses, which developers might encounter when studying unverified open source repos for the first time.<\/p>\n<p>In the proof of concept, the malicious prompts were delivered using an innocuous looking <em>README.md<\/em> GNU Public License file of the sort that would be part of any open source repo.<\/p>\n<p>The researchers then uncovered a combination of smaller weaknesses that could be exploited together to run malicious shell commands without the user\u2019s knowledge.<\/p>\n<h2 class=\"wp-block-heading\">Allowlist exploit<\/h2>\n<p>The first weakness is that Gemini CLI sensibly allows users to allowlist frequent commands \u2014 for example, <em>grep<\/em> \u2014 to avoid constant <em>do you want to allow this? <\/em>re-prompts. It\u2019s a helpful facility, except that Gemini CLI\u2019s allowlisting couldn\u2019t distinguish between the legitimate grep and a malicious command masquerading as grep.<\/p>\n<p>Because minimal validation was performed, this would allow an attacker to execute any malicious command they wanted, all without the need to re-prompt.<\/p>\n<p>\u201c[That could include] a grep command followed by a command to silently exfiltrate all the user\u2019s environment variables (possibly containing secrets) to a remote server. The malicious command could be anything (installing a remote shell, deleting files, etc),\u201d wrote Tracebit\u2019s Sam Cox.<\/p>\n<p>Granted, the command would execute without a re-prompt, but wouldn\u2019t the user still notice it as it runs in the CLI? If so, this would expose the attacker even if the command had successfully run.<\/p>\n<p>Unfortunately, Tracebit discovered that malicious commands could be hidden in Gemini CLI by packing the command line with blank characters, pushing the malicious commands out of the user\u2019s sight.<\/p>\n<p>\u201cIt\u2019s the combination of prompt injection, poor UX considerations that don\u2019t surface risky commands, and insufficient validation on risky commands. When combined, the effects are significant and undetectable,\u201d said Cox. \u00a0<\/p>\n<p>The same attack failed on rival tools: \u201cWhen attempting this attack against other AI code tools, we found multiple layers of protections that made it impossible,\u201d Tracebit found.<\/p>\n<h2 class=\"wp-block-heading\">Developers beware<\/h2>\n<p>AI tools are all about speeding up and automating tedious and time consuming tasks. However, they also do the same thing for <a href=\"https:\/\/www.csoonline.com\/article\/4023795\/top-10-mcp-vulnerabilities.html?utm=hybrid_search\" target=\"_blank\" rel=\"noopener\">prompt injection<\/a> attackers. The exploit documented by Tracebit involves assumptions, but not unreasonable ones, that an attacker could exploit under real-world conditions. Meanwhile, the hunt is <a href=\"https:\/\/www.csoonline.com\/article\/4029862\/how-ai-red-teams-find-hidden-flaws-before-attackers-do.html\" target=\"_blank\" rel=\"noopener\">already underway<\/a> to find prompt injection flaws across a wide range of contexts and tools.<\/p>\n<p>In short, while Tracebit\u2019s flaw is the first discovered in Gemini CLI, it is probably not the last. The flaws, classified by Google as a high severity (V1) and priority fix (P1), were patched in <a href=\"https:\/\/github.com\/google-gemini\/gemini-cli\/releases\" target=\"_blank\" rel=\"noopener\">Gemini CLI v0.1.14<\/a> released on July 25, which is why we\u2019re hearing about it now.<\/p>\n<p>Beyond updating to the patched version of Gemini CLI, the best advice is always to run tools in sandbox mode to isolate them from the host system. Google\u2019s response to the disclosure, sent to Tracebit, underlined the latter point:<\/p>\n<p>\u201cOur security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection,\u201d the Google Vulnerability Disclosure Program (VDP) team told Tracebit. \u201cFor any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>It\u2019s barely been out for a month and already security researchers have discovered a prompt injection vulnerability in Google\u2019s Gemini command line interface (CLI) AI agent that could be exploited to steal sensitive data such as credentials and API keys from unwary developers. Gemini CLI integrates Google\u2019s LLM with traditional command line tools such as [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4155"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4155"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4156"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}