Full Report
Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,"
Analysis Summary
# Vulnerability: Google Gemini CLI Remote Code Execution (RCE) via Malicious Configuration
## CVE Details
- **CVE ID:** None assigned (Referenced via GHSA-wpqr-6v78-jr5g)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-20 (Improper Input Validation) / CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products:**
- `@google/gemini-cli` (npm package)
- `google-github-actions/run-gemini-cli` (GitHub Action)
- **Versions:**
- `@google/gemini-cli` < 0.39.1
- `@google/gemini-cli` < 0.40.0-preview.3
- `google-github-actions/run-gemini-cli` < 0.1.22
- **Configurations:** Systems running Gemini CLI in **headless mode** (typical in CI/CD environments) without folder trust mechanisms enabled.
## Vulnerability Description
The vulnerability stems from the Gemini CLI's behavior of automatically trusting workspace folders when running in CI/headless environments. This allowed the tool to automatically load configuration files and environment variables from a local `.gemini/` directory without user consent or sandboxing.
An attacker could submit a malicious pull request containing a crafted `.gemini/` configuration. When the CI pipeline runs the Gemini CLI to review the PR, the CLI loads the malicious environment variables/configuration, leading to arbitrary command execution on the host runner before the agent's security sandbox is even initialized.
## Exploitation
- **Status:** PoC available (Reported by Novee Security)
- **Complexity:** Low
- **Attack Vector:** Network (External attacker submitting content to a repository)
## Impact
- **Confidentiality:** Total (Full access to host environment and secrets)
- **Integrity:** Total (Ability to modify code and build artifacts)
- **Availability:** Total (Ability to disrupt or destroy CI/CD infrastructure)
## Remediation
### Patches
Update to the following versions or higher:
- **npm:** `@google/[email protected]`
- **GitHub Action:** `google-github-actions/[email protected]`
The patch removes "automatic trust" and requires explicit authorization for workspace folders.
### Workarounds
- Ensure the environment variable `GEMINI_TRUST_WORKSPACE` is **not** set to `'true'` when processing untrusted inputs (e.g., public pull requests).
- Review and harden tool allowlisting if using `--yolo` mode to ensure only safe commands are permitted.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.gemini/` directories in repository root or subdirectories.
- Unusual environment variables defined in configuration files within the repo.
- Unexpected shell commands execution originating from CI runner service accounts.
- **Detection Methods:**
- Audit GitHub Action logs for unauthorized tool calls or "run_shell_command" executions.
- Use static analysis tools to scan for hidden or malicious configuration files in incoming PRs.
## References
- **Vendor Advisory:** [https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g]
- **Researcher Report:** [https://novee.security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/]
- **NPM Package:** [https://www.npmjs.com/package/@google/gemini-cli]