In a significant security update, Google has addressed a critical vulnerability in its Gemini CLI tool that could have enabled attackers to execute remote code within automated development environments. The flaw specifically impacted the npm package @google/gemini-cli and the associated GitHub Action, widely used in CI/CD workflows, particularly in headless environments.
The issue came to light through a detailed security advisory, which revealed that the vulnerability stemmed from two interconnected weaknesses. Notably, these included unsafe workspace trust handling and a bypass in tool allowlisting when operating under the “–yolo” mode. As a result, systems processing untrusted inputs—such as external pull requests or issue submissions—were at considerable risk.
To begin with, the first flaw involved how Gemini CLI handled folder trust in non-interactive or headless modes. Previously, the tool automatically trusted the current workspace without requiring explicit user approval. Consequently, it could load local configuration files and environment variables from the .gemini/ directory. If an attacker managed to insert malicious content into this directory, the CLI could unknowingly execute harmful commands. This behavior created a direct pathway for remote code execution, particularly in CI pipelines working with unverified repositories.
Moreover, the second issue further amplified the risk. It affected how Gemini CLI enforced tool restrictions when running in “–yolo” mode. In earlier versions, the system failed to properly apply fine-grained restrictions defined in the configuration file. For instance, even if a workflow permitted only specific commands like run_shell_command, the policy could become overly permissive. As a result, attackers could exploit this gap using prompt injection techniques, especially in environments that process user-controlled inputs.
Although the advisory clarified that the vulnerability primarily impacted headless deployments, this category includes a substantial number of modern development workflows, especially those using GitHub Actions. Therefore, the potential exposure remained significant.
In response, Google has released patched versions of both the Gemini CLI npm package and the corresponding GitHub Action. The company strongly urges users to upgrade immediately and review their automation configurations. Additionally, Google has introduced a breaking security change: headless mode will no longer automatically trust workspace directories. Instead, organizations must explicitly enable this feature by setting GEMINI_TRUST_WORKSPACE to ‘true’.
Furthermore, Google recommends that teams handling untrusted inputs strictly follow its updated security hardening guidelines. This includes carefully reviewing tool permissions and command execution policies to prevent misuse.
The vulnerability was responsibly disclosed by Elad Meged of Novee Security and Dan Lisichkin of Pillar Security through Google’s Vulnerability Rewards Program. Their findings underscore a broader and growing concern in the cybersecurity landscape.
As AI-powered developer tools continue to evolve, the integration of automation, prompt handling, and shell access introduces new attack surfaces. This incident clearly highlights how even minor policy gaps can rapidly escalate into critical threats when exposed to untrusted inputs.
Recommended Cyber Technology News:
- Harvey and Ansarada Link Systems for Secure AI Document Processing
- Medtronic Cybersecurity Breach Hits IT Systems, No Impact
- Q2 Introduces AI-Driven Tools to Combat Account Takeover Fraud
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
