Security researchers have discovered a vulnerability in Google's Gemini CLI tool that enables malicious command execution and silent data infiltration.
Released in June, Gemini CLI is a command line interface (CLI) tool designed to streamline coding workflows by allowing users to interact with code using Google’s Gemini large language model (LLM) directly from their command line.
Just two days after launch, Tracebit discovered and reported a vulnerability that meant that, in its default configuration, Gemini CLI could silently execute arbitrary malicious code on a user's machine when run in the context of untrusted code.
Sam Cox, TraceBit’s co-founder and chief technology officer (CTO), said this can be done in such a way as to obscure this from the victim of the attack.
The vulnerability arises from the way Gemini CLI implements whitelists, requesting permission to execute shell commands and allowing users to whitelist certain commands for the rest of a session.
"Gemini’s method of matching commands against the whitelist is inadequate as a security control," Cox explained.
"This means we can orchestrate a two-stage attack: firstly, we get the user to whitelist an innocuous command. Secondly, we attempt a malicious command masquerading as that innocuous command - which, having been whitelisted, will not be subject to user approval before execution."
The team used a simple grep search as the initial command - something that would normally be seen as a very low risk activity for Gemini to perform and that might easily lead to ‘grep’ being added to the whitelist.
They were able to execute a malicious command - which Gemini now considered to be a ‘grep’ command and executed without confirming with the user.
"In reality, this is a grep command followed by a command to silently exfiltrate all the user’s environment variables (possibly containing secrets) to a remote server," said Cox.
"The malicious command could be anything (installing a remote shell, deleting files, etc)."
The team then added several whitespace characters, followed by a semicolon and malicious 'env' and 'curl' commands to silently retrieve and exfiltrate the data.
There’s a fix for the Gemini CLI flaw
Google fixed the issue late last week with the release of Gemini CLI v0.1.14, which now shows any commands it's trying to run and requires explicit user approval for anything suspicious.
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing,” Google’s Vulnerability Disclosure Program team said in a statement.
“We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection.”
"For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session,” the company added.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Box reveals new AI capabilities at BoxWorks 2025News Extract and Automate will help businesses make better use of their data, the cloud company claims
-
Big tech CEOs are fueling the fire of AI confusionOpinion Mixed messaging on the effectiveness of AI only raises fears that the technology will steal human jobs
-
LNER warns customers to remain vigilant after personal data exposed in cyber attackNews LNER has warned customers to remain vigilant for social engineering attacks after a cyber attack on the rail operator exposed personal data.
-
Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’News Jaguar Land Rover (JLR) has admitted some data may have been accessed by hackers following a cyber attack which severely disrupted production.
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countriesNews The Salt Typhoon hacker group has waged several major campaigns against US telecoms companies and critical infrastructure operators – now it's ramping up attacks globally.
-
Salesloft Drift hackers had access to company GitHub account for months before attacksNews Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
