A newly discovered vulnerability in Google’s Gemini CLI, an AI-powered tool designed to help developers explore and write code from the command line, has exposed users to silent execution of malicious commands without their knowledge.
The security research team at Tracebit uncovered how a clever mix of prompt injection, weak validation, and deceptive user experience could allow attackers to run harmful code on anyone’s machine simply by inspecting a compromised codebase with Gemini CLI.
What Happened?
Google released Gemini CLI on 25 June 2025, aiming to streamline coding workflows by enabling developers to interact with code through natural language commands powered by Google’s Gemini AI.
Just two days later, Tracebit reported a critical vulnerability to Google’s Vulnerability Disclosure Program (VDP). In default settings, Gemini CLI could be tricked into running malicious shell commands silently, hidden from users, when analyzing untrusted code. This wasn’t just a prompt injection, poor interface design and lax command validation made the attack particularly stealthy.
Google classified the flaw as a Priority 1 (P1) and Severity 1 (S1) issue and released a patch with Gemini CLI version 0.1.14 on July 25.
How the Attack Works
At the core of the issue is Gemini CLI’s ability to execute shell commands via a tool called run_shell_command. Normally, Gemini CLI asks users to approve any shell command before running it. However, users can whitelist commands during a session to avoid repeated prompts.
Bad actors can exploit this by first getting users to whitelist a harmless command, such as a simple grep search. Then, the attacker disguises a malicious command as this innocent one. Because Gemini CLI’s command whitelist matching is flawed, it treats the dangerous command as the safe one and runs it automatically, without alerting the user.
On top of that, Gemini CLI’s interface can obscure malicious commands by injecting large amounts of whitespace after benign output, effectively hiding the real payload from view.
The Malicious Payload
Using a specially crafted “context file” (typically a README.md or GEMINI.md file within the codebase) the malefactor hides malicious instructions inside seemingly harmless text, such as the GNU Public License.
When Gemini CLI loads this file to help understand the project, it unknowingly reads and executes the hidden commands. These commands can quietly send environment variables, including sensitive credentials, to a remote server controlled by the criminal, all while the user believes Gemini is just analyzing the code.
The Fallout and Fix
Between Gemini CLI’s release and the patch, multiple independent researchers noted the same issues, particularly the weak command validation.
With the July 25 update, Gemini CLI now clearly shows any commands it tries to run and requires explicit user approval for anything suspicious. Google also highlighted that sandboxing options are available—though not enabled by default, to help contain any risky activity.
What You Should Do
- Update immediately to Gemini CLI version 0.1.14 or later.
- Enable sandboxing where possible to isolate code execution.
- Be cautious when using AI assistants on untrusted code repositories. Even trusted tools can be tricked if the underlying code contains malicious instructions.
Google commented in relation to the disclosure:
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection. For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.