Gemini CLI Vulnerability Allows Hackers to Execute Malicious Commands on Developer Systems

A critical security vulnerability discovered in Google’s Gemini CLI tool allowed attackers to execute arbitrary malicious commands on developer systems without detection. 

The vulnerability, identified by cybersecurity firm Tracebit on June 27, 2025, exploited a combination of prompt injection techniques, inadequate input validation, and misleading user interface elements to achieve silent code execution when developers inspected untrusted code repositories.

Key Takeaways
1. Gemini CLI allowed silent malicious code execution on developer systems.
2. Prompt injection tricked users into whitelisting commands, enabling credential theft.
3. Upgrade to v0.1.14+ immediately and use sandboxing.

Exploitation Mechanism Through Prompt Injection

The vulnerability centered on Gemini CLI’s run_shell_command tool and its support for context files, typically named GEMINI.md, which provide project-specific information to the AI assistant. 

Attackers could embed malicious instructions within seemingly benign files like README.md, often disguised within legitimate content such as the GNU Public License text.

The attack employed a sophisticated two-stage approach. First, attackers would prompt Gemini to request execution of an innocuous command like grep ^Setup README.md to search for setup instructions.

When users approved this delicate operation and added it to their session whitelist, the system’s flawed validation logic created an opening for exploitation.

The core technical flaw resided in Gemini CLI’s inadequate command validation when comparing shell inputs against the whitelist. 

The original implementation failed to correctly parse complex shell command strings, allowing attackers to append malicious payloads after approved commands. 

For instance, a whitelisted grep command could be exploited using the following command.

This command would execute normally as a grep operation while simultaneously exfiltrating all environment variables, potentially containing sensitive credentials, to an attacker-controlled server, reads the advisory.

Silent Execution and Detection Evasion

The vulnerability’s most dangerous aspect was its ability to remain completely hidden from users.

Researchers exploited Gemini CLI’s Terminal User Interface rendering quirks by inserting large numbers of whitespace characters within commands, thereby obscuring malicious payloads from display. 

This meant that while the malicious code executed successfully, users would only see the benign portion of the command in their interface.

Google classified this as a P1/S1 severity issue and released a fix in Gemini CLI version 0.1.14 on July 25, 2025. 

The patch improved command parsing logic and made malicious commands more visible to users, requiring explicit approval for additional binaries. 

Security researchers recommend that developers immediately upgrade to version 0.1.14 or later and utilize sandboxing modes whenever possible when using AI-powered development tools.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now