A significant security vulnerability was discovered in the Gemini Command Line Interface (CLI), potentially enabling attackers to execute a supply chain attack. This risk was highlighted by Pillar Security, who identified the flaw as allowing indirect prompts to be injected into a GitHub issue.
Understanding the Gemini CLI Vulnerability
The Gemini CLI, an open-source AI agent facilitating access to Google’s Gemini AI assistant from a terminal, contained a critical security defect. Despite lacking a CVE identifier, the vulnerability was given a perfect CVSS score of 10/10, indicating its severe impact. The issue arose particularly in the CLI’s –yolo mode, which bypassed tool allowlists, thus opening the doors for arbitrary command execution.
Pillar Security explained that attackers could exploit this vulnerability by crafting a public issue within a Google GitHub repository, embedding malicious prompts within its content. The –yolo mode’s automatic approval of tool calls meant that the AI agent, tasked with managing user-submitted issues, could be hijacked. This could potentially lead to internal secrets from the build environment being exfiltrated to a server controlled by the attacker.
The Potential Consequences of the Flaw
Once the attacker obtained the necessary credentials, they could escalate their privileges to gain full write access to the repository. This breach could result in the attacker being able to inject any code into the main branch of the gemini-cli repository, affecting all downstream users. Pillar Security reported that at least eight other Google repositories were subject to the same vulnerable workflow template, increasing the potential impact.
Google responded to this security threat by addressing the vulnerability on April 24 with the release of Gemini CLI version 0.39.1. This update included stricter evaluations of tool allowlisting under –yolo mode. Additionally, the run-gemini-cli GitHub Action received updates to mitigate the risk.
Additional Security Enhancements
Beyond the tool allowlisting correction, the update tackled another issue related to trust settings in Gemini CLI’s headless mode. Previously, this mode automatically trusted the current workspace folder, which could have exposed credentials, secrets, and source code within vulnerable Continuous Integration (CI) workflows. The update aimed to fortify the security of these workflows, mitigating the risk of further supply chain attacks.
This incident underscores the critical importance of maintaining robust security practices, especially in widely-used software tools. It serves as a reminder of the ever-present threats in the digital landscape and the need for constant vigilance and timely response to vulnerabilities.
