A serious code execution vulnerability threatened the security of Gemini CLI users. Upon detecting the flaw, Google patched the vulnerability, releasing the fix with the latest CLI release. Given the severity of the issue, users must ensure upgrading to the patched version to avoid potential threats.
Google Gemini Vulnerability Allowed Malicious Code Execution
Researchers from Tracebit discovered a serious code execution vulnerability in Gemini CLI. Sharing the details in a blog post, Sam Cox of Tracebit explained how exploiting the flaw could let an adversary execute malicious commands on the target user’s machine.
Gemini CLI is an open-source, AI-powered command-line interface tool from Google, allowing developers to interact directly with Gemini AI from the terminal. It performs various activities, such as generating code and debugging, to enhance productivity for developers. Google has also integrated this tool with Google Code Assist to facilitate AI-powered coding.
Specifically, the vulnerability existed due to several security flaws that an adversary could chain to perform an attack. These include “improper validation, prompt injection, misleading UX, and inspecting untrusted code” by the Gemini model.
Gemini CLI functions by executing shell commands via the run_shell_command tool, and adds context files, called “GEMINI.md” to the codebase. These two steps are what the researchers used in their attack to demonstrate the issue. They created a context file “README.md”, inserting malicious commands in it, and placed it in a benign Python repository. When Gemini CLI scans this repository, it would also read the “README.md” file, thus executing the malicious command.
While a user can view the commands executed, the researchers also demonstrated manipulating the AI’s Terminal User Interface by enveloping the malicious command with whitespace. Doing so would allow the attacker to make the harmless part of the command visible, while hiding the malicious part.
In their attack, the researchers demonstrated injecting malicious code with “grep” command that most users would whitelist. Next, when Gemini CLI runs code, it won’t appear to the user due to the added whitespace.
The following video demonstrates the attack.
Google Deployed A Patch
Following this discovery, Tracebit researchers reached out to Google to report the flaw via Google’s Vulnerability Disclosure Program on July 27, 2025, two days after the Gemini CLI launch. In response, Google patched the vulnerability with Gemini CLI version 0.1.14.
Tracebit also quoted the following statement from Google.
Our security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection. For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session.
To keep their devices safe from potential threats, users must ensure that they update to the latest CLI release.
Let us know your thoughts in the comments.
