Google fixes Gemini CLI flaws that risked silent data exfiltration - SC Media

Google has fixed flaws in its Gemini Command Line Interface (CLI) tool that could have enabled malicious command execution, including silent data exfiltration. Gemini CLI enables users to interact with code using Google’s Gemini large language model (LLM) directly from their command line. An exploit discovered by Tracebit combined two main flaws in the tool to execute shell commands without a user’s permission or knowledge, according to a Tracebit blog published Monday. Gemini CLI ordinarily requests users’ permission to execute any shell commands and allows users to whitelist certain commands for the rest of a session. This means the tool will no longer request permission to use certain commands the user chose to “always allow,” such as common commands that need to be run repeatedly. Tracebit’s proof-of-concept exploit takes advantage of a flaw in the way Gemini CLI compared shell inputs to the whitelist to validate user permission. They found if an input started with a whitelisted command, a different command could still be executed without additional user permission if included after certain operators (such as a semicolon). They also found that Gemini CLI would not output the results of a command when a large amount of whitespace was included in the input before that command. Combining these two weaknesses, Tracebit crafted a codebase that a hypothetical attack target might use Gemini CLI to analyze. This included two files — a benign code file that the target would want to analyze, and a README.md file that the AI is likely to pull into its context window. The README.md context file included the full text of the GNU Public License, which a human target would be unlikely to read in full if they opened the file. Hidden within the license was a prompt injection that would trigger Gemini CLI to execute shell commands that silently exfiltrate potentially sensitive environment variables to an external server. The prompt injection ensured Gemini formatted the shell commands to take advantage of the previously described weaknesses, beginning with a “grep” command that the target would be likely to “always allow.” Several whitespace characters were then added, followed by a semicolon and malicious “env” and “curl” commands that silently retrieve and exfiltrate the data. As a result, Gemini CLI executed the commands and exfiltrates the data without including any sign of the env and curl commands in its output. Tracebit reported the flaw to Google via its Bug Hunters program on June 27, 2025, and the issue was fixed on July 25, 2025, with the release of Gemini CLI v0.1.14. “Our security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection. For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session,” Google’s Vulnerability Disclosure Program team said in a statement. Tracebit noted that “no sandbox” mode is the default setting for Gemini CLI, and recommends that users use sandboxing modes whenever possible when utilizing AI agents. The Tracebit team also confirmed that, after the fix, Gemini CLI requests permission for all shell commands in an input, even when the input starts with a whitelisted command.