A critical security vulnerability has been identified in Google’s Gemini Command Line Interface (CLI), posing significant risks to Continuous Integration/Continuous Deployment (CI/CD) environments, particularly those utilizing GitHub Actions workflows. This flaw enables attackers to execute arbitrary code on host systems, potentially compromising sensitive data and system integrity.
Understanding the Vulnerability
The vulnerability affects versions of the Gemini CLI prior to 0.39.1 and 0.40.0-preview.3, as well as the ‘run-gemini-cli’ GitHub Action versions before 0.1.22. The core issue lies in the CLI’s handling of workspace trust and tool execution policies in non-interactive, or ‘headless,’ environments such as automated CI pipelines.
In these settings, the Gemini CLI previously trusted workspace folders by default, automatically loading configuration files and environment variables from directories like .gemini/ and .env without user verification. This behavior allowed attackers to inject malicious configurations into repositories. When a CI workflow processed such untrusted input, the CLI could execute these embedded commands, leading to remote code execution without requiring user interaction.
Additionally, the CLI’s ‘–yolo’ mode, intended to grant the model more freedom in executing actions, ignored fine-grained tool allowlists. This oversight permitted attackers to exploit prompt injection techniques, running unauthorized commands and further escalating the risk in automated pipelines handling untrusted data.
Potential Impact
The severity of this vulnerability is underscored by its critical rating, with a Common Vulnerability Scoring System (CVSS) score of 10.0. Exploitation could result in complete compromise of confidentiality, integrity, and availability of affected systems. Notably, the flaw allows pre-sandbox host-level code execution in certain CI environments, enabling attackers to bypass intended restrictions and execute commands directly on the host system running the pipeline.
For example, a malicious contributor could submit a pull request containing a crafted .gemini/.env file. If the CI pipeline utilizes a vulnerable version of the Gemini CLI, it would automatically trust and load the file, triggering execution of embedded commands. This scenario could grant the attacker access to secrets, modification of build artifacts, or lateral movement to other systems.
Mitigation Measures
In response to this vulnerability, Google has released patched versions of the Gemini CLI and its associated GitHub Action. The updated versions enforce explicit workspace trust in headless modes, aligning behavior with interactive sessions. Configuration files are now loaded only if the workspace is explicitly marked as trusted. Furthermore, the update ensures that tool allowlisting is enforced even in ‘–yolo’ mode, preventing unrestricted command execution.
Users are strongly advised to:
- Upgrade to Gemini CLI version 0.39.1 or 0.40.0-preview.3, and ‘run-gemini-cli’ version 0.1.22 or later.
- Review CI/CD workflows that process untrusted inputs.
- Set the environment variable
GEMINI_TRUST_WORKSPACEto ‘true’ only for trusted repositories. - Implement strict tool allowlists and avoid enabling unnecessary command execution.
This incident highlights the critical importance of securing CI/CD pipelines, especially when processing untrusted inputs. Organizations must remain vigilant, regularly updating tools and reviewing security configurations to mitigate potential risks associated with automated workflows.
