Critical Vulnerability in Google Gemini CLI Allows Malicious Code Execution

The cybersecurity service Tracebit identified a critical vulnerability in the Google Gemini CLI. This flaw allows for the stealthy execution of malicious commands when users view suspicious code through the neural network.

Google Gemini CLI is a command-line interface tool that enables developers to directly interact with Google’s Gemini AI model from their terminal. Its functionalities include:

Tracebit employee Sam Cox mentioned that «the toxic mix of inadequate validation, command injection via prompts, and a misleading interface leads to the silent execution of harmful commands when code is viewed.»

By embedding the «prompt injection» within a README.md file, which also included the full text of the GNU Public License and accompanied a seemingly safe Python script, the expert managed to trick Gemini into transmitting credentials using the env and curl commands to a waiting remote server.

Initially, Google assigned the vulnerability identified by Cox a priority level of two and a severity rating of four within their Bug Hunters program after they received the report on June 27.

About three weeks later, the company reclassified the vulnerability as the most severe, requiring urgent and immediate attention, due to the potential for significant data leaks, unauthorized access, or arbitrary code execution.

Users are advised to upgrade to Gemini version 0.1.14, which incorporates protective mechanisms against shell command execution and implements countermeasures against the described attack.

Enabling «sandboxing»—an isolated environment that safeguards the user’s system—also mitigates the attack discovered by Cox.

It is important to note that upon installation, Gemini CLI runs without sandboxing by default.

As a reminder, in June, the AI tool Xbow topped the leaderboard for white hat hackers who reported the highest number of vulnerabilities in major software companies.