Gemini CLI vulnerability enables remote code execution risk

Google released patches for a critical vulnerability in the Gemini CLI npm package (@google/gemini-cli) and the google-github-actions/run-gemini-cli GitHub Action after multiple research teams published details. Reporting by The Hacker News and Novee Security describes the flaw as enabling remote code execution with a reported CVSS score of 10.0. Googles advisory and follow-up reporting state the problem arises when Gemini CLI runs in headless mode and automatically trusts the current workspace folder, allowing configuration files and environment variables from untrusted directories to be loaded.

Novee Securitys advisory and Pillar Securitys writeup show how attacker-controlled files or specially crafted GitHub comments can inject agent configuration that is loaded before sandboxing initializes, leading to host command execution, credential theft, or supply-chain compromise. The Hacker News and SecurityWeek report the affected versions as @google/gemini-cli < 0.39.1, @google/gemini-cli < 0.40.0-preview.3 and google-github-actions/run-gemini-cli < 0.1.22. The research families named in public reporting include the "Comment and Control" technique (Aonan Guan et al., reported by SecurityWeek) and the "PromptPwnd" class (Aikido Security), both exploiting untrusted GitHub input processed by AI agents.

Editorial analysis: AI agents that ingest untrusted source control content and run with access to execution tools and repository secrets broaden the attack surface of CI/CD pipelines. Public reporting ties this Gemini CLI incident to a broader pattern where prompt-injection style inputs are weaponized to escalate privileges or exfiltrate secrets when agent runtime and environment trust are over-permissive. Prior responsible disclosures and open-source detection rules from Aikido Security and others indicate the pattern affects multiple vendors and large organizations, per Aikidos published findings.

Editorial analysis: Observers should track whether a CVE identifier is assigned and whether additional affected packages or GitHub Actions surface as researchers probe similar agent workflows. Security teams and pipeline owners will watch vendor advisories for hardened defaults and whether GitHub introduces more granular restrictions for Actions that expose tokens or environment access. Also monitor proof-of-concept releases from the research teams for details that could be reused by attackers.

Googles advisory and media reporting recommend avoiding running Gemini CLI in headless mode on untrusted inputs, explicitly trusting workspace folders only when appropriate, and upgrading to patched versions. Security writeups from Pillar and Aikido recommend reducing agent tool privileges, sanitizing untrusted inputs before they enter prompts, and treating AI-generated output as untrusted code when it could be executed by CI workflows.