A vulnerability in Google’s Gemini CLI allowed attackers to silently execute malicious instructions and exfiltrate information from builders’ computer systems utilizing allowlisted applications.
The flaw was found and reported to Google by the safety agency Tracebit on June 27, with the tech large releasing a repair in model 0.1.14, which grew to become accessible on July 25.
Gemini CLI, first launched on June 25, 2025, is a command-line interface software developed by Google that allows builders to work together immediately with Google’s Gemini AI from the terminal.
It’s designed to help with coding-related duties by loading mission recordsdata into “context” after which interacting with the massive language mannequin (LLM) utilizing pure language.
The software could make suggestions, write code, and even execute instructions regionally, both by prompting the consumer first or by utilizing an allow-list mechanism.
Tracebit researchers, who explored the brand new software instantly after its launch, discovered that it could possibly be tricked into executing malicious instructions. If mixed with UX weaknesses, these instructions may result in undetectable code execution assaults.
The exploit works by exploiting Gemini CLI’s processing of “context recordsdata,” particularly ‘README.md’ and ‘GEMINI.md,’ that are learn into its immediate to assist in understanding a codebase.
Tracebit discovered it is attainable to cover malicious directions in these recordsdata to carry out immediate injection, whereas poor command parsing and allow-list dealing with depart room for malicious code execution.
They demonstrated an assault by establishing a repository containing a benign Python script and a poisoned ‘README.md’ file, after which triggered a Gemini CLI scan on it.
Gemini is first instructed to run a benign command (‘grep ^Setup README.md’), after which run a malicious information exfiltration command that’s handled as a trusted motion, not prompting the consumer to approve it.
The command utilized in Tracebit’s instance seems to be grep, however after a semicolon (;), a separate information exfiltration command begins. Gemini CLI interprets your complete string as secure to auto-execute if the consumer has allow-listed grep.
Supply: Tracebit
“For the needs of comparability to the whitelist, Gemini would take into account this to be a ‘grep’ command, and execute it with out asking the consumer once more,” explains Tracebit within the report.
“In actuality, it is a grep command adopted by a command to silently exfiltrate all of the consumer’s atmosphere variables (probably containing secrets and techniques) to a distant server.”
“The malicious command could possibly be something (putting in a distant shell, deleting recordsdata, and so forth).”
Moreover, Gemini’s output may be visually manipulated with whitespace to cover the malicious command from the consumer, so they don’t seem to be conscious of its execution.
Tracebit created the next video to exhibit the PoC exploit of this flaw:
Though the assault comes with some robust stipulations, reminiscent of assuming the consumer has allow-listed particular instructions, persistent attackers may obtain the specified ends in many circumstances.
That is one other instance of the hazards of AI assistants, which may be tricked into performing silent information exfiltration even when instructed to carry out seemingly innocuous actions.
Gemini CLI customers are really helpful to improve to model 0.1.14 (newest). Additionally, keep away from working the software in opposition to unknown or untrusted codebases, or accomplish that solely in sandboxed environments.
Tracebit states that it examined the assault methodology in opposition to different agentic coding instruments, reminiscent of OpenAI Codex and Anthropic Claude, however these aren’t exploitable on account of extra sturdy allow-listing mechanisms.
Comprise rising threats in actual time – earlier than they influence your online business.
Find out how cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
