Critical Gemini CLI Vulnerabilities

-


Critical Gemini CLI Vulnerabilities

1. Critical RCE in CI/CD (CVSS 10.0 – GHSA‑wpqr‑6v78‑jr5g)

  • A maximum‑severity Remote Code Execution (RCE) flaw was discovered in Google’s Gemini CLI (@google/gemini-cli) and the run-gemini-cli GitHub Action.
  • In headless/CI environments, Gemini CLI automatically trusted workspace folders, loading .gemini/ configuration and environment variables without review or sandboxing, allowing attackers to execute arbitrary commands on the host before sandbox initialization.
  • Exploitation required no authentication, no user interaction, and no prompt injection.

Impact

  • Full host command execution in CI/CD runners
  • Theft of secrets, tokens, and credentials
  • Software supply‑chain compromise via malicious pull requests

Affected versions

  • @google/gemini-cli < 0.39.1
  • @google/gemini-cli ≤ 0.40.0-preview.2
  • google-github-actions/run-gemini-cli < 0.1.22

Fixed versions

  • @google/gemini-cli 0.39.1, 0.40.0-preview.3
  • run-gemini-cli 0.1.22

Root causes

  • Implicit workspace trust in headless mode
  • Tool allowlist bypass in --yolo execution mode
  • Improper input validation (CWE‑20, CWE‑77, CWE‑78, CWE‑200)

2. Tool Allowlist Bypass & Prompt‑Injection‑Assisted RCE (CI Context)

What happened

  • In --yolo mode, earlier Gemini CLI versions ignored fine‑grained tool allowlists, meaning that allowing one safe command implicitly allowed any shell command.
  • When combined with untrusted inputs (e.g., GitHub issues or PR text), attackers could achieve RCE via prompt injection, even in workflows that appeared locked down.

Impact

  • RCE in automated workflows processing external content
  • Silent execution of unauthorized commands

Mitigation

  • Patched versions now enforce tool allowlists even in --yolo mode
  • CI workflows may fail until allowlists are explicitly updated

3. Earlier Developer‑Workstation Vulnerability (July 2025)

What happened

  • A prior Gemini CLI flaw allowed silent malicious command execution on developer machines via:
    • Prompt injection
    • Weak command‑whitelist parsing
    • Terminal UI rendering tricks that hid malicious payloads

Status

  • Classified as P1/S1
  • Fixed in Gemini CLI v0.1.14 (July 25, 2025)

Why This Matters

  • Gemini CLI commonly runs with trusted contributor privileges inside CI/CD pipelines.
  • Automatic trust + agent execution = high‑value supply‑chain attack surface.
  • This vulnerability class does not rely on AI model behavior—it is infrastructure‑level execution, making it highly reliable for attackers.

Security researchers emphasized that AI coding agents now sit directly in the software supply chain, magnifying the blast radius of configuration and trust failures.

Recommended Actions (Immediate)

  1. Upgrade immediately
    • @google/gemini-cli >= 0.39.1
    • run-gemini-cli >= 0.1.22
  2. Do not process untrusted inputs without explicit workspace trust controls
  3. Avoid --yolo or tightly restrict allowlisted commands
  4. Audit CI workflows for implicit trust assumptions
  5. Rotate any secrets exposed to vulnerable runs


Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more