Google has addressed a critical remote code execution vulnerability in its Gemini CLI tool that could compromise CI/CD pipelines and development environments.
Google has patched a critical CVSS 10.0 vulnerability in its Gemini CLI command-line AI tool, requiring organizations using the tool to update their workflows immediately. The security flaw, discovered by independent researchers, creates significant risks for development environments and CI/CD pipelines that use the tool in headless mode.
Technical Details of the Vulnerability
The vulnerability stems from how Gemini CLI handles workspace folder trust in headless mode, which is frequently used in CI/CD environments and increasingly by AI agents. According to Google's advisory, the tool automatically assumes any workspace folders it's active in are trusted for loading configuration files and environment variables.
"This vulnerability had nothing to do with prompt injection or the model 'deciding' to act maliciously," explained Elad Meged of Novee Security, one of the credited researchers. "It was an infrastructure-level issue, where attacker-controlled content was silently accepted as trusted configuration and executed before any sandbox was initialized."
The flaw allows for remote code execution through malicious environment variables in the local .gemini/ directory when the tool operates in untrusted folders. While interactive mode requires explicit user trust before loading workspace configuration files, headless mode lacked this safeguard until the recent patch.
The Patch and Its Implications
Google released the fix in Gemini CLI versions 0.39.1 and 0.40.0-preview.3, bringing headless mode behavior in line with interactive mode by requiring explicit trust mechanisms. However, this necessary security update creates compliance challenges for organizations using the tool.
The run-gemini-cli GitHub Action automatically updates to the newest Gemini CLI release unless users pin a specific version. This means organizations using the GitHub Action without specifying a CLI version may experience unexpected workflow failures. Google explicitly states:
"GitHub Actions and other automated pipelines that rely on the previous automatic trust behavior will fail to load workspace-specific settings until they are updated to use explicit trust mechanisms."
Workflow Compatibility Issues
Organizations face a dual challenge with this update. First, workflows that relied on Gemini CLI's previous automatic trust behavior will fail until modified to use explicit trust mechanisms. Second, the update changes how the --yolo mode operates:
"In previous versions, when Gemini CLI was configured to run in --yolo mode, it would ignore any fine grained tool allowlist," Google explained. "In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under --yolo mode … As a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task."
Compliance Requirements and Timeline
Organizations using Gemini CLI must take immediate action:
- Update Gemini CLI to version 0.39.1 or later
- Review CI/CD workflows that use the run-gemini-cli GitHub Action
- Modify workflows that relied on previous trust behavior or
--yolomode functionality - Implement proper version pinning in GitHub Actions to prevent unexpected updates
- Test updated workflows in non-production environments before deployment
The vulnerability has been confirmed by Google to be in process of receiving a CVE designation. Novee Security received a bug bounty for the discovery but did not disclose the amount.
Broader Security Implications
Across all test environments, Novee Security observed consistent and severe impacts:
"Code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach," the Novee team explained. "Enough for token theft, supply-chain pivots, and lateral movement into downstream systems."
This vulnerability highlights emerging security challenges in AI-powered development tools. As AI agents become more integrated into development workflows, securing the underlying infrastructure becomes increasingly critical. Organizations must balance the productivity benefits of these tools with appropriate security controls and regular vulnerability assessments.
For more information on the vulnerability and the patch, refer to Google's advisory on GitHub and the official Gemini CLI documentation.
Comments
Please log in or register to join the discussion