What happened
Google released patches for a critical vulnerability in the Gemini CLI npm package (@google/gemini-cli) and the google-github-actions/run-gemini-cli GitHub Action after multiple research teams published details. Reporting by The Hacker News and Novee Security describes the flaw as enabling remote code execution with a reported CVSS score of 10.0. Googles advisory and follow-up reporting state the problem arises when Gemini CLI runs in headless mode and automatically trusts the current workspace folder, allowing configuration files and environment variables from untrusted directories to be loaded.
Technical details
Novee Securitys advisory and Pillar Securitys writeup show how attacker-controlled files or specially crafted GitHub comments can inject agent configuration that is loaded before sandboxing initializes, leading to host command execution, credential theft, or supply-chain compromise. The Hacker News and SecurityWeek report the affected versions as @google/gemini-cli < 0.39.1, @google/gemini-cli < 0.40.0-preview.3 and google-github-actions/run-gemini-cli < 0.1.22. The research families named in public reporting include the "Comment and Control" technique (Aonan Guan et al., reported by SecurityWeek) and the "PromptPwnd" class (Aikido Security), both exploiting untrusted GitHub input processed by AI agents.
Industry context
Editorial analysis: AI agents that ingest untrusted source control content and run with access to execution tools and repository secrets broaden the attack surface of CI/CD pipelines. Public reporting ties this Gemini CLI incident to a broader pattern where prompt-injection style inputs are weaponized to escalate privileges or exfiltrate secrets when agent runtime and environment trust are over-permissive. Prior responsible disclosures and open-source detection rules from Aikido Security and others indicate the pattern affects multiple vendors and large organizations, per Aikidos published findings.
What to watch
Editorial analysis: Observers should track whether a CVE identifier is assigned and whether additional affected packages or GitHub Actions surface as researchers probe similar agent workflows. Security teams and pipeline owners will watch vendor advisories for hardened defaults and whether GitHub introduces more granular restrictions for Actions that expose tokens or environment access. Also monitor proof-of-concept releases from the research teams for details that could be reused by attackers.
Practical mitigation notes (reported)
Googles advisory and media reporting recommend avoiding running Gemini CLI in headless mode on untrusted inputs, explicitly trusting workspace folders only when appropriate, and upgrading to patched versions. Security writeups from Pillar and Aikido recommend reducing agent tool privileges, sanitizing untrusted inputs before they enter prompts, and treating AI-generated output as untrusted code when it could be executed by CI workflows.
Key Points
- 1Critical RCE in Gemini CLI and its GitHub Action, reported at CVSS 10.0, can turn CI workflows into supply-chain attack vectors.
- 2Attackers can weaponize untrusted GitHub content via prompt-injection patterns like "Comment and Control" and "PromptPwnd" to load malicious agent configs.
- 3Practitioners should audit headless-agent workflows, upgrade to patched versions, and reduce agent privileges to lower attack surface.
Scoring Rationale
A maximum-severity (CVSS 10.0) remote code execution issue in a popular AI CLI and its GitHub Action poses a major supply-chain and CI/CD risk for developers and security teams. The story affects practitioner workflows and tooling choices, and it fits the "Major" rung for security-impact stories.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

