A critical security vulnerability was identified by Tracebit on June 27, 2025. It affects Google's Gemini CLI tool, allowing attackers to execute malicious commands. This flaw operates on developer systems, often without detection.
The vulnerability exploits prompt injection, inadequate input validation, and misleading UI elements. This enables silent code execution, especially when developers examine untrusted code repositories.
The vulnerability's core lies in Gemini CLI's `run_shell_command` tool. It also involves its support for context files like `GEMINI.md`, which feed project information to the AI assistant.
Attackers could embed harmful instructions in benign files, such as `README.md`. These were often concealed within legitimate content, including the `GNU Public License` text.
This sophisticated attack used a two-stage approach. Attackers first prompted Gemini to execute an innocuous command, like `grep ^Setup README.md`. This appeared to search for setup instructions.
Upon user approval, the operation was whitelisted. However, the system's flawed validation logic created an opening. Gemini CLI's insufficient command validation against the whitelist was the core technical flaw.
The original implementation failed to parse complex shell command strings. This allowed attackers to append malicious payloads after approved commands. A whitelisted `grep` command, for instance, could exfiltrate environment variables.
Sensitive credentials could be sent to an attacker-controlled server. This occurred while the expected `grep` operation still performed, making the attack stealthy. A dangerous aspect was the vulnerability's ability to remain hidden. Attackers used rendering quirks in Gemini CLI’s Terminal User Interface. They inserted many whitespace characters within commands. This obscured malicious payloads from display. Users only saw the benign command portion, even as the malicious code executed successfully.
Google classified this as a P1/S1 severity issue. A corrective patch was released in Gemini CLI version 0.1.14 on July 25, 2025. This update improved command parsing logic. It also increased visibility of malicious commands to users. Explicit approval is now required for additional binaries. Security researchers urge developers to upgrade to 0.1.14 or later. They also recommend utilizing sandboxing modes whenever possible, especially when employing AI-powered development tools.