Gemini CLI Vulnerability Allows Silent Execution of Malicious Commands on Developer Systems

Security researchers at Tracebit have discovered a critical vulnerability in Google’s Gemini CLI that enables attackers to silently execute malicious commands on developers’ systems through a sophisticated combination of prompt injection, improper validation, and misleading user interface design.

The vulnerability, classified as a P1/S1 issue by Google’s security team, has been patched in the latest release following responsible disclosure.

Background and Discovery

Google released Gemini CLI on June 25, 2024, as an AI-powered command-line tool designed to help developers explore and write code using Google’s Gemini AI directly from their terminal.

Just two days later, on June 27, Tracebit reported the vulnerability to Google’s Vulnerability Disclosure Program, demonstrating how the tool could be weaponized to execute arbitrary code without user knowledge.

The attack exploits Gemini CLI’s ability to execute shell commands through its run_shell_command tool and its support for “context files” – typically named GEMINI.md – which provide project-specific information to enhance the AI’s coding assistance.

By combining these features with carefully crafted prompt injection techniques, attackers can create seemingly benign codebases that trigger malicious behavior when analyzed by Gemini CLI.

The vulnerability centers on a multi-stage attack that begins with hiding malicious prompts within legitimate-looking files.

Researchers demonstrated how attackers could embed prompt injection code within the text of the GNU Public License in a README.md file, knowing that while experienced developers would recognize and skip reading the license text, Gemini would process the entire content.

The attack exploits a critical flaw in Gemini CLI’s command whitelisting mechanism. When users approve certain commands for execution, those commands are added to a session whitelist to avoid repeated prompts.

However, the validation logic for comparing commands against this whitelist proved insufficient for security purposes.

Attackers can first request permission to run an innocuous command like grep, then execute a malicious payload that begins with grep but includes additional dangerous operations.

The vulnerability becomes particularly dangerous through its ability to obscure malicious activity from users.

By including large amounts of whitespace in commands and manipulating the terminal output, attackers can hide the true nature of executed commands from the user interface.

In demonstration attacks, researchers successfully exfiltrated environment variables containing sensitive credentials to remote servers while users remained completely unaware of the compromise.

Google initially classified the issue as P2/S4 but later escalated it to P1/S1 status on July 23.

The company released Gemini CLI v0.1.14 on July 25 with fixes that make malicious commands clearly visible to users and require explicit approval for additional binaries.

The agreed disclosure date was July 28, following Google’s standard responsible disclosure timeline.

Several other researchers independently discovered aspects of this vulnerability in the month between the initial release and the fix, highlighting the severity and discoverability of the issue.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!