Researchers discovered a vulnerability in Google’s Gemini CLI AI Assistant that allowed the stealth execution of malicious commands and the theft of data from developers’ computers using programs from an approved list.
Gemini CLI, launched by Google on June 25, 2025, is a command-line tool that allows developers to interact directly with Gemini through the terminal. The utility is designed to assist with programming-related tasks: it uploads project files into the “context” and enables working with an LLM in natural language.
This tool can offer recommendations and propose solutions, write code, and even execute commands locally—either after receiving user permission or automatically if the command is on the approved list.
On June 27, specialists from Tracebit notified Google about a vulnerability in Gemini CLI. The issue was resolved in version 0.1.14, which was released last week on July 25.
Researchers reported that they began studying the tool immediately after its release and discovered that it could execute malicious commands. Combined with UX issues, this could lead to concealed code execution attacks.
The experts’ exploit was based on how Gemini CLI processes “contextual” files (such as README.md and GEMINI.md) that are incorporated into the prompt to better understand the code.
Tracebit demonstrated that such files can subtly embed malicious instructions through prompt injection, and poorly implemented command parsing and allowlist processing ultimately create an opportunity for executing malicious code.
As part of the attack demonstration, researchers created a repository with a harmless Python script and a malicious README.md file, then initiated a scan via the Gemini CLI. Initially, the AI was instructed to execute the command grep ^Setup README.md (which is safe), followed by a data exfiltration command that Gemini CLI considered trusted and executed without requesting confirmation.
Although the command looked like grep, after the semicolon (;) there was a separate instruction — it involved sending the user’s environment variables (potentially with tokens and secrets) to a remote server. However, since the user allowed grep, the entire command was considered safe for automatic execution.
“Gemini interprets this as a grep command and executes it without re-prompting the user,” explained Tracebit. “However, in reality, it is grep followed by a command for covert exfiltration of all user environment variables (which may contain secrets).”
Researchers noted that an attacker could use any malicious command, from deploying a reverse shell to deleting files. Additionally, the output of Gemini can be visually masked with spaces to conceal the malicious part and not arouse suspicion from the user.
Although the exploit requires the user to pre-add commands to the allow-list, persistent attackers could still succeed, experts emphasize.
Users of the Gemini CLI are advised to update to version 0.1.14 as soon as possible and to avoid running the tool on unfamiliar or untrusted code bases, or to do so only in an isolated environment.
The researchers from Tracebit also tested this attack technique on other similar tools, including OpenAI Codex and Claude from Anthropic. In these tools, the exploit was not possible due to the use of more robust permission mechanisms.