Researchers discovered a vulnerability in Google’s Gemini CLI AI Assistant that allowed the stealth execution of malicious commands and the theft of data from developers’ computers using programs from an approved list.
Gemini CLI, launched by Google on June 25, 2025, is a command-line tool that allows developers to interact directly with Gemini through the terminal. The utility is designed to assist with programming-related tasks: it uploads project files into the “context” and enables working with an LLM in natural language.
This tool can offer recommendations and propose solutions, write code, and even execute commands locally—either after receiving user permission or automatically if the command is on the approved list.
On June 27, specialists from Tracebit notified Google about a vulnerability in Gemini CLI. The issue was resolved in version 0.1.14, which was released last week on July 25.
Researchers reported that they began studying the tool immediately after its release and discovered that it could execute malicious commands. Combined with UX issues, this could lead to concealed code execution attacks.
The experts’ exploit was based on how Gemini CLI processes “contextual” files (such as README.md and GEMINI.md) that are incorporated into the prompt to better understand the code.
Tracebit demonstrated that such files can subtly embed malicious instructions through prompt injection, and poorly implemented command parsing and allowlist processing ultimately create an opportunity for executing malicious code.
As part of the attack demonstration, researchers created a repository with a harmless Python script and a malicious README.md file, then initiated a scan via the Gemini CLI. Initially, the AI was instructed to execute the command grep ^Setup README.md (which is safe), followed by a data exfiltration command that Gemini CLI considered trusted and executed without requesting confirmation.
Although the command looked like grep, after the semicolon (;) there was a separate instruction — it involved sending the user’s environment variables (potentially with tokens and secrets) to a remote server. However, since the user allowed grep, the entire command was considered safe for automatic execution.
“Gemini interprets this as a grep command and executes it without re-prompting the user,” explained Tracebit. “However, in reality, it is grep followed by a command for covert exfiltration of all user environment variables (which may contain secrets).”
Researchers noted that an attacker could use any malicious command, from deploying a reverse shell to deleting files. Additionally, the output of Gemini can be visually masked with spaces to conceal the malicious part and not arouse suspicion from the user.
Although the exploit requires the user to pre-add commands to the allow-list, persistent attackers could still succeed, experts emphasize.
Users of the Gemini CLI are advised to update to version 0.1.14 as soon as possible and to avoid running the tool on unfamiliar or untrusted code bases, or to do so only in an isolated environment.
The researchers from Tracebit also tested this attack technique on other similar tools, including OpenAI Codex and Claude from Anthropic. In these tools, the exploit was not possible due to the use of more robust permission mechanisms.
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →