Full Report
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows
Analysis Summary
# Vulnerability: Google Gemini CLI Infrastructure-Level RCE
## CVE Details
- **CVE ID**: Pending (Confirmed by Google to be in the process of assignment)
- **CVSS Score**: 10.0 (Critical)
- **CWE**: CWE-15: External Control of System or Configuration Setting / CWE-73: External Control of File Name or Path
## Affected Systems
- **Products**: Google Gemini CLI (Command Line Interface), `run-gemini-cli` GitHub Action
- **Versions**:
- Gemini CLI versions prior to **0.39.1**
- Gemini CLI versions prior to **0.40.0-preview.3**
- **Configurations**: Specifically systems running in **headless mode** (typical in CI/CD pipelines, GitHub Actions, and AI agents) or using the **`--yolo`** mode.
## Vulnerability Description
The flaw is an infrastructure-level issue involving over-permissive workspace trust settings. In headless mode, the Gemini CLI automatically trusted any workspace folder it was active in. This allowed the tool to silently load configuration files and environment variables from a local `.gemini/` directory. If an attacker could place a malicious configuration file in that directory (e.g., via a pull request or untrusted repository content), they could trigger Remote Code Execution (RCE) on the host machine before any security sandboxing was initialized.
## Exploitation
- **Status**: PoC available (Writeup published by Novee Security); No current reports of exploitation in the wild, though it is "easy-to-abuse."
- **Complexity**: Low
- **Attack Vector**: Network (via untrusted repository content/CI/CD supply chain)
## Impact
- **Confidentiality**: Total (Access to secrets, credentials, and source code)
- **Integrity**: Total (Ability to modify source code/artifacts)
- **Availability**: Total (Complete host takeover)
## Remediation
### Patches
Update to the following versions or newer:
- **Gemini CLI: 0.39.1**
- **Gemini CLI: 0.40.0-preview.3**
- Ensure `run-gemini-cli` GitHub Action is updated to the latest version.
### Workarounds
- **Explicit Trust**: Manually update CI/CD workflows to use explicit trust mechanisms for workspace folders.
- **Tool Allowlists**: Modify tool allowlists to accommodate the new policy engine requirements if using `--yolo` mode.
- **Pinning**: If immediate migration is impossible, strictly isolate the environment, though pinning older versions is highly discouraged due to the critical nature of the flaw.
## Detection
- **Indicators of Compromise**: Presence of unauthorized or unexpected `.gemini/` directories in repository workspaces; unusual environment variables defined in configuration files.
- **Detection methods**: Review CI/CD execution logs for "failed to load workspace-specific settings" errors, which may indicate the patch has blocked an attempt to use the old trust model. Audit GitHub Action workflows for unpinned Gemini CLI versions.
## References
- **Vendor Advisory**: hxxps[://]github[.]com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g
- **Researcher Writeup (Novee)**: hxxps[://]novee[.]security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/