A critical remote code execution vulnerability in Gemini CLI, an open source AI agent designed for terminal access to Gemini, has been identified by Novee Security researchers. The flaw allowed unreviewed loading of agent configurations from the current workspace folder, enabling attackers to plant malicious configurations that could execute arbitrary commands on the host system. This vulnerability poses significant supply chain risks, as it permits unprivileged outsiders to access sensitive secrets and credentials, and can facilitate broader attacks in CI/CD pipelines akin to those originating from developer tools.
Google: Google develops the Gemini family of multimodal AI models and open-source tools like Gemini CLI to empower developers with terminal-based AI assistance for tasks including code generation and data analysis. The company maintains active integrations such as Cloud Workstations that include Gemini CLI by default. Google issued patches for both Gemini CLI and the run-gemini-cli GitHub Action to address the recently disclosed vulnerability enabling host code execution.
Gemini CLI: Gemini CLI is an open-source AI agent from Google that integrates Gemini AI models directly into the terminal for coding, debugging, deploying applications, and automating workflows. It supports agent skills and ReAct loops for multi-step tasks directly from the command line. The tool was recently affected by a critical remote code execution flaw that allowed arbitrary host commands before sandboxing, enabling supply chain attacks in CI/CD pipelines, which Google patched in version 0.39.1.
Novee Security: Novee Security is a cybersecurity firm specializing in AI-powered penetration testing and autonomous red teaming to uncover vulnerabilities in LLM applications and AI systems. Its platform uses AI agents to map, exploit, and validate defenses against machine-speed threats. Researchers at Novee Security discovered the critical RCE vulnerability in Gemini CLI, demonstrating risks of trusting workspace configurations in AI agents within developer pipelines.
`json
{
“Supply Chain Risks”: “AI agents in CI/CD pipelines grant execution privileges equivalent to trusted contributors, exposing workflows to supply chain attacks originating from developer tools like Gemini CLI.”,
“Gemini CLI Vulnerability”: “The recently patched RCE vulnerability in Gemini CLI allowed attackers to execute arbitrary commands on the host, potentially leading to credential theft and access to sensitive data within development workflows.”
}
`