Security researchers have discovered a vulnerability in Google's Gemini CLI tool that enables malicious command execution and silent data infiltration.
Released in June, Gemini CLI is a command line interface (CLI) tool designed to streamline coding workflows by allowing users to interact with code using Google’s Gemini large language model (LLM) directly from their command line.
Just two days after launch, Tracebit discovered and reported a vulnerability that meant that, in its default configuration, Gemini CLI could silently execute arbitrary malicious code on a user's machine when run in the context of untrusted code.
Sam Cox, TraceBit’s co-founder and chief technology officer (CTO), said this can be done in such a way as to obscure this from the victim of the attack.
The vulnerability arises from the way Gemini CLI implements whitelists, requesting permission to execute shell commands and allowing users to whitelist certain commands for the rest of a session.
"Gemini’s method of matching commands against the whitelist is inadequate as a security control," Cox explained.
"This means we can orchestrate a two-stage attack: firstly, we get the user to whitelist an innocuous command. Secondly, we attempt a malicious command masquerading as that innocuous command - which, having been whitelisted, will not be subject to user approval before execution."
The team used a simple grep search as the initial command - something that would normally be seen as a very low risk activity for Gemini to perform and that might easily lead to ‘grep’ being added to the whitelist.
They were able to execute a malicious command - which Gemini now considered to be a ‘grep’ command and executed without confirming with the user.
"In reality, this is a grep command followed by a command to silently exfiltrate all the user’s environment variables (possibly containing secrets) to a remote server," said Cox.
"The malicious command could be anything (installing a remote shell, deleting files, etc)."
The team then added several whitespace characters, followed by a semicolon and malicious 'env' and 'curl' commands to silently retrieve and exfiltrate the data.
There’s a fix for the Gemini CLI flaw
Google fixed the issue late last week with the release of Gemini CLI v0.1.14, which now shows any commands it's trying to run and requires explicit user approval for anything suspicious.
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing,” Google’s Vulnerability Disclosure Program team said in a statement.
“We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection.”
"For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session,” the company added.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network Academy
News The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
