Redazione RHC : 8 August 2025 07:25
A serious vulnerability has been discovered in Google’s recently released Gemini CLI tool, which allows attackers to silently execute malicious commands and leak data from developers’ computers if certain commands are enabled on the system. The vulnerability was discovered by Tracebit just two days after the tool’s release. The issue was immediately reported to Google, and update 0.1.14 was released on July 25, eliminating the vulnerability.
Gemini CLI is a command-line interface for interacting with Google’s Gemini AI, released on June 25. 2025. The tool is designed to assist developers by loading project files in a “context” and enabling natural language interaction with the language model. In addition to code generation and suggestions, Gemini CLI can execute commands locally, with user approval, or automatically if the command is on a list of allowed commands.
Tracebit specialists began studying the tool soon after its release and discovered that it can be forced to execute malicious commands without the user’s knowledge. The problem lies in the context management mechanism: Gemini CLI analyzes the contents of files such as README.md and GEMINI.md, using them as hints to understand the project structure. However, they can hide instructions that lead to prompt injection and the launch of external commands.
The developers demonstratedhow to create a harmless Python application with a modified README file, where the first command appears safe, such as grep ^Setup README.md. But then, after a semicolon, a second command is inserted, which secretly sends environment variables (which may contain secrets) to a remote server. Since grep is allowed by the user on the system, the entire command is perceived as trusted and is executed automatically.
This is the essence of the attack: due to weak command parsing and a naive approach to the list of allowed actions, Gemini CLI interprets the entire snippet as a “grep” command and doesn’t ask for confirmation. Additionally, the output format can be visually masked by hiding the malicious part behind spaces, so that the user won’t notice the trick.
As a proof of concept, Tracebit recorded a video demonstrating the exploit. While the attack requires certain conditions to be met, such as user consent to the execution of certain commands, resistance to such schemes should be built in by default, especially in tools that interact with code.
Tracebit developers emphasize that this is a clear example of how vulnerable AI tools can be to manipulation. Even with seemingly innocuous actions, they can perform dangerous operations when used in a trusted environment.
Gemini CLI users are advised to immediately update to version 0.1.14 and avoid analyzing unfamiliar repositories outside of sandbox environments. Unlike the Gemini CLI, other similar tools, such as OpenAI Codex and Anthropic Claude, have proven resistant to similar attack methods thanks to stricter command authorization rules.
Redazione