Gemini CLI Fixes CVSS 10 RCE in CI Workflows

Multiple advisories, including Miggo and SecurityOnline, report that Google published updates to the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Action to fix a security issue tracked as GHSA-wpqr-6v78-jr5g with a CVSS 10 severity rating. The Hacker News and other security writeups describe the vulnerability as enabling remote code execution in certain automated workflows when untrusted workspace contents are processed.

Per the Miggo vulnerability entry and SecurityOnline coverage, the issue stems from two related behaviours. First, when Gemini CLI ran in headless (non-interactive) CI environments it implicitly trusted workspace folders and therefore loaded configuration files such as those under a local .gemini/ directory. In workflows that process untrusted pull requests, a malicious actor could supply poisoned environment variables or config that lead to command execution. Second, the CLI's experimental --yolo mode previously ignored fine-grained tool allowlists; when run_shell_command was permitted by a loose allowlist, prompt injection could escalate into arbitrary shell commands. Miggo documents that the change aligns headless mode with interactive mode by requiring explicit workspace trust and that version 0.39.1 modifies the policy engine to evaluate tool allowlisting under --yolo.

Tools that automatically trust repository or workspace files in CI pipelines increase the attack surface for supply-chain and prompt-injection style attacks. Observed patterns in similar incidents show that automated runners which treat user-submitted content as trusted often enable the easiest paths to remote code execution, especially when combined with permissive execution primitives or experimental modes that relax security checks.

Review any CI workflows that run @google/gemini-cli or the run-gemini-cli Action, especially those that process contributions from external contributors. Public reporting indicates fixes are available in 0.39.1 and 0.40.0-preview.3; teams should plan validation and regression testing before updating. Where inputs are trusted, the advisories note setting explicit trust flags such as GEMINI_TRUST_WORKSPACE: "true" in workflows; where inputs are untrusted, follow the hardening guidance to configure explicit allowlists and avoid --yolo with permissive settings. Observers should track the GHSA entry for further updates and corroborating CVE identifiers.

For practitioners, monitor for downstream action versions, security bulletins from package registries, and CI failures caused by the stricter trust model. Industry observers will watch whether other AI-agent tooling makes similar headless-mode trust changes as part of hardening CI integrations.