Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack

Attackers could inject prompts into a GitHub issue and take over the AI agent designed to automatically triage the issue.

A critical vulnerability in Gemini CLI could have allowed attackers to mount a supply chain attack via indirect prompts injected into a GitHub issue, Pillar Security warns.

Gemini CLI is the open source AI agent that provides access to Google’s Gemini AI assistant directly from a terminal.

The security defect, assigned a CVSS score of 10/10 but no CVE identifier, existed because Gemini CLI in –yolo mode would ignore tool allowlists, leading to the execution of any command.

According to Pillar Security, an attacker could have exploited the flaw by creating a public issue on a Google GitHub repository and hiding malicious prompts in its text.

Because in –yolo mode all tool calls are automatically approved, the attacker could take over the AI agent designed to automatically triage ...