Critical Gemini CLI Flaw Enabled Host Code Execution, Supply Chain Attacks

A critical remote code execution vulnerability was recently discovered by researchers in Gemini CLI, an open source AI agent designed to provide lightweight access to Gemini directly from a terminal.

The vulnerability, patched by Google in both Gemini CLI and the ‘run-gemini-cli’ GitHub Action, was identified by researchers at Novee Security.

The researchers noticed that “Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval.”

An attacker who could plant a malicious configuration in that folder could cause the AI agent to execute arbitrary commands on the host before sandbox initialization.

“Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach,” Novee researchers explained.

According to the researchers, a threat actor could have exploited the vulnerability ...