On July 29, 2025, security researchers disclosed a significant vulnerability in Google’s Gemini Command Line Interface (CLI), a tool designed to enhance coding workflows through artificial intelligence. The flaw, discovered shortly after the tool’s release, could have allowed attackers to execute malicious commands on developers’ systems without detection, potentially leading to data theft or system compromise. Google has since released a fix in version 0.1.14, urging users to update immediately to protect their systems.
What is Gemini CLI?
Introduced on June 25, 2025, Gemini CLI is an open-source, command-line tool that integrates Google’s Gemini large language model (LLM) to assist developers with coding tasks. The tool allows users to interact with their codebase using natural language prompts, enabling functions like code generation, debugging, and documentation creation directly from the terminal. It processes project files, such as README.md or GEMINI.md, to provide context for its AI-driven recommendations and can execute shell commands to streamline workflows.
Gemini CLI’s features include:
- Code Analysis: Summarizes codebases and identifies potential issues or improvements.
- Command Execution: Runs shell commands, with an allow-list mechanism to approve trusted actions.
- Integration: Supports tools like Docker, Podman, and macOS Seatbelt for sandboxed environments.
- Customization: Allows users to tailor prompts and integrate with Google’s Gemini Code Assist.
The tool’s open-source nature, licensed under Apache 2.0, encourages community contributions and transparency, but its rapid adoption made it a target for security scrutiny.
The Vulnerability Explained
The vulnerability, identified by UK-based security firm Tracebit on June 27, 2025, stemmed from a combination of flaws in Gemini CLI’s design. According to reports from BleepingComputer, the issue allowed attackers to embed malicious instructions in context files, such as README.md, which the tool processes to understand a codebase. By exploiting prompt injection techniques, attackers could trick Gemini CLI into executing unauthorized commands without user awareness.
The attack relied on a two-stage approach:
- Stage 1: Whitelisting a Harmless Command: Attackers would prompt Gemini CLI to request execution of a benign command, such as a grep search for setup instructions in a README.md file. Users, perceiving this as low-risk, might add grep to the allow-list, enabling it to run without further approval.
- Stage 2: Hidden Malicious Payload: Attackers could then append a malicious command, such as curl to exfiltrate sensitive data, to the whitelisted command. Due to flawed validation, Gemini CLI would treat the combined command as trusted, executing it without prompting the user.
To conceal the malicious activity, attackers could insert large amounts of whitespace characters into the command, pushing the harmful portion out of view in the terminal’s user interface. This allowed actions like stealing environment variables potentially containing sensitive credentials or installing remote shells to go undetected.
Real-World Exploit Demonstration
Tracebit demonstrated the vulnerability using a proof-of-concept (PoC) attack. Researchers created a repository with a benign Python script and a poisoned README.md file containing the GNU Public License text, a common component in open-source projects. Hidden within the license text were malicious instructions that Gemini CLI processed, leading to the execution of a data-exfiltration command. The PoC showed how attackers could exploit developers’ trust in familiar files to bypass security measures.
The attack required specific conditions, such as a user whitelisting a command and running Gemini CLI on an untrusted codebase. However, these prerequisites were not considered prohibitive, as developers often analyze unfamiliar repositories, making the flaw a significant risk. Other AI coding tools, such as OpenAI’s Codex and Anthropic’s Claude, were tested and found to be less vulnerable due to stronger command validation mechanisms.
Google’s Response and Fix
Google was notified of the vulnerability on June 27, 2025, through its Vulnerability Disclosure Program. Initially classified as a moderate issue (P2/S4), it was escalated to high severity (P1/S1) on July 23 after further evaluation. Google released a patch in Gemini CLI version 0.1.14 on July 25, 2025, addressing the flaw by improving command parsing and requiring explicit user approval for additional binaries. The update also enhances visibility of executed commands, ensuring malicious payloads are no longer hidden by whitespace manipulation.
Google emphasized its commitment to security, stating that Gemini CLI’s design prioritizes robust sandboxing. The tool integrates with Docker, Podman, and macOS Seatbelt, offering pre-built containers for secure execution. Users who opt out of sandboxing receive a persistent red-text warning in the terminal to highlight potential risks.
Recommendations for Users
Security experts have urged Gemini CLI users to take immediate action to mitigate risks:
- Update to Version 0.1.14: Ensure the latest version is installed to benefit from the patched security controls.
- Enable Sandboxing: Use Docker, Podman, or macOS Seatbelt to isolate Gemini CLI’s operations from the host system.
- Avoid Untrusted Codebases: Refrain from running the tool on unfamiliar or unverified repositories unless in a sandboxed environment.
- Review Allow-Lists: Exercise caution when adding commands to the allow-list, as this can create vulnerabilities if exploited.
These measures are critical to preventing similar attacks, especially as AI-powered coding tools become more prevalent in development workflows.
Broader Implications for AI Coding Tools
The Gemini CLI vulnerability highlights the growing risks associated with “agentic” AI tools, which combine automation with system-level access. Similar issues have been reported in other platforms, such as Amazon’s AI coding assistant, where prompt injection led to potential data-wiping commands. These incidents underscore the need for robust security controls in AI tools that interact with sensitive systems.
As AI assistants become integral to software development, vulnerabilities like this could expose developers to significant risks, including data breaches and system compromise. The open-source nature of Gemini CLI allows for community scrutiny, which helped identify the flaw quickly, but it also emphasizes the importance of rigorous validation and user interface design to prevent exploitation.
Industry Context and Future Outlook
The discovery comes amid increasing concerns about the security of AI-driven tools. Privacy advocates, including Signal’s CEO Meredith Whittaker, have warned about the unpredictability of generative AI systems, particularly those with deep system access. The Gemini CLI flaw is part of a broader trend of vulnerabilities in AI coding assistants, prompting calls for stricter security standards and sandboxing practices.
Google’s swift response demonstrates the importance of responsible disclosure and rapid patching in the tech industry. As AI tools evolve, developers and security researchers will need to collaborate closely to identify and address vulnerabilities, ensuring these tools remain safe and reliable for widespread use.
A critical vulnerability in Google’s Gemini CLI, discovered on June 27, 2025, allowed attackers to execute hidden malicious commands through prompt injection and flawed command validation. The flaw, which could lead to data exfiltration or system compromise, was patched in version 0.1.14 on July 25, 2025. Users are advised to update immediately, enable sandboxing, and avoid running the tool on untrusted codebases. The incident highlights the need for robust security measures in AI-powered coding tools as they become more integrated into development workflows.
Sources & References:
- BleepingComputer
- IT Pro
- CyberScoop
- CSO Online
- Tracebit
