Gemini CLI Vulnerability Exploited for Code Execution, Supply Chain Attack Risk
Critical Flaw in Gemini CLI Allows Potential Supply Chain Attack
The open-source Gemini CLI tool, used to interact with Google’s Gemini AI assistant, has been found to contain a severe vulnerability that could enable attackers to execute code and launch a supply chain attack.
According to a report by Pillar Security, the flaw stemmed from the tool’s “yolo” mode ignoring allowlists, making it susceptible to exploitation through indirect prompts injected into a GitHub issue.
- The flaw allowed an attacker to create a public issue on a Google GitHub repository and hide malicious prompts within its text.
- The attacker could then take control of the AI agent tasked with automatically triaging the user-submitted issue, leveraging it to extract internal secrets from the build environment and transmit them to an attacker-controlled server.
- The compromised credentials would grant the attacker a token with full write access to the repository, enabling the push of arbitrary code to the main branch of the Gemini CLI repository.
The compromised code would ship to every downstream user, constituting a full supply-chain compromise.
Potential Impact:
- Possibility of supply chain attacks through compromised code pushed to the main branch of the Gemini CLI repository.
- Risk of unauthorized access to internal secrets, credentials, and source code across vulnerable CI workflows.
Resolution:
Google released Gemini CLI version 0.39.1 on April 24, incorporating tool allowlisting under yolo mode and updating the run-gemini-cli GitHub Action.
The update also resolved a separate concern related to Gemini CLI in headless mode, which automatically trusted the current workspace folder, potentially granting access to credentials, secrets, and source code across vulnerable CI workflows.
About Author
English