Google has patched a critical security vulnerability in its Gemini command line interface tool, a flaw that could have allowed attackers to execute arbitrary commands on affected host systems. The issue, assigned a CVSS severity score of 10, the highest possible, was found in the “@google/gemini-cli” npm package and the related “google-github-actions/run-gemini-cli” GitHub Actions workflow.
The vulnerability was discovered and reported by security researcher Peter Stöckli. According to Google’s advisory, the problem stemmed from inadequate input validation. An attacker could force the Gemini CLI to load malicious configuration data, leading to remote code execution.
“The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,” a statement from the Google security team explained. This design flaw permitted the attacker to execute arbitrary commands on a developer’s machine when they ran the Gemini CLI tool.
The Gemini CLI is designed to help developers interact with Google’s Gemini AI model directly from a terminal or within continuous integration and continuous deployment (CI/CD) pipelines. The flaw specifically impacted users who ran the tool, as it could be tricked into downloading and executing harmful code from external sources without proper verification.
Scope of the Vulnerability
The issue was not limited to local command line usage. The vulnerability also affected the Google-maintained GitHub Action for running Gemini CLI within automated workflows. This meant that a compromised or malicious pull request could potentially trigger code execution inside a GitHub Actions runner, a common environment for software builds and testing.
Google confirmed that no active exploitation of this vulnerability had been detected prior to the fix. However, the company emphasized the urgency of applying the patch given the maximum severity rating. A CVSS score of 10 indicates that a vulnerability is both easily exploitable and can have a catastrophic impact on confidentiality, integrity, and availability of the affected system.
Remediation and Patches
Google has released patched versions of the affected components. For the npm package, users are advised to update to version 0.1.9 or later. For the GitHub Actions workflow, the fix is included in version 0.1.9 of the action.
The patch introduces stricter input validation and prevents the tool from loading configuration files from untrusted sources. Developers who use the Gemini CLI in their local development environment or in CI/CD pipelines are urged to update immediately to protect against potential attacks.
Implications for Developers
This incident highlights the growing security risks associated with AI-powered development tools. As these tools become more integrated into developer workflows, they also become attractive targets for attackers. The Gemini CLI flaw is a specific example of how a seemingly benign tool can introduce a critical attack vector if security measures are not rigorously applied throughout the supply chain.
The vulnerability underscores the importance of treating AI assistants and command line tools as part of the broader software supply chain. Security researchers recommend that organizations verify the integrity of their software dependencies, including tools from major vendors, and implement controls to prevent unauthorized code execution.
Industry Context
The vulnerability in Google’s Gemini CLI is not an isolated case. Other AI coding tools, including Cursor, have recently been found to contain similar flaws that could enable code execution. These incidents collectively suggest a pattern in which the rush to integrate AI capabilities into development environments may be outpacing the implementation of robust security guardrails.
Security experts advise developers to remain vigilant. While tools like Gemini CLI offer significant productivity benefits, they introduce new vectors for supply chain attacks. Developers should treat updates for these tools with the same urgency as critical operating system or library patches.
Moving forward, Google is expected to continue hardening its AI development tools against such attacks. The company has stated that it is reviewing its internal security processes for new AI products to prevent similar vulnerabilities. Users should expect further security advisories as the company conducts additional audits of its AI-powered offerings.
Source: BleepingComputer
