Tracebit has reported the discovery of a vulnerability affecting Google’s Gemini CLI, highlighting risks of silent credential theft and unauthorised command execution from untrusted code.
The Gemini CLI tool, designed to assist developers in coding with Google Gemini directly from the command line, was released by Google on 25 June. Tracebit identified the vulnerability within two days, describing a combination of improper validation, prompt injection and misleading user experience as enabling the flaw. This allowed potential attackers to execute arbitrary code without the victim’s knowledge when inspecting untrusted code, thereby risking the exfiltration of credentials and sensitive data from users’ machines to remote servers.
Tracebit explained that their blog post reveals a technical method by which an attacker could exploit Gemini CLI. Attackers could achieve silent code execution against users working with untrusted code, and this method might remain hidden from victims due to the exploit’s mode of operation.
Disclosure and response
Tracebit disclosed the vulnerability directly to Google through its Bug Hunters programme. According to a timeline provided by Tracebit, the vulnerability was initially reported to Google’s Vulnerability Disclosure Programme (VDP) on 27 June, just two days after Gemini CLI’s public release.
Upon receipt, Google triaged the vulnerability as a lower priority; however, as the risk became clearer, the classification was upgraded to P1, S1 – the highest priority and most severe status – on 23 July. The Google product team then addressed the vulnerability, releasing an updated version of Gemini CLI (v0.1.14) with a patch on 25 July, followed by an agreed public disclosure on 28 July.
During the approximately one-month period between the tool’s launch and the deployment of a fix, Tracebit noted that there had been independent discoveries of at least the command validation vulnerability by several other individuals.
User impact and mitigation
Tracebit has detailed that in the patched version of Gemini CLI, attempts at code injection display the malicious command to users, and require explicit approval for any additional binaries to be executed. This change is intended to prevent the silent execution that the original vulnerability enabled.
For users of the CLI, security is now bolstered by making potentially dangerous prompts visible and requiring activation for certain code actions. The update closes the gap that previously allowed attackers to slip malicious commands past unsuspecting developers.
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection. For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session.” (Google VDP Team, July 25th)
Google’s approach to CLI security leverages containerisation and clear warnings for any users opting out of sandboxing, aiming to mitigate the risks involved in running code from untrusted sources.
Tracebit’s role in the discovery and reporting of the issue also underlines the importance of rapid, independent security research, particularly as AI-powered tools become central to software development workflows. The company continues to focus on equipping security teams to take an ‘assume breach’ posture in the face of fast-evolving technologies.
The vulnerability and its remediation underscore the need for vigilance when examining and running third-party or untrusted code, especially in tools leveraging AI to assist in software development. Users are advised to update to the latest Gemini CLI version and to use sandboxing features when dealing with unknown sources.