Flaw in Gemini Interface Allowed Execution of Malicious Code

Cybersecurity service Tracebit identified a critical vulnerability in Google Gemini CLI. This flaw permits the stealthy execution of malicious commands when a user views suspicious code through the neural network.

Google Gemini CLI is a command line interface tool that enables developers to interact with Google’s Gemini AI model directly from the terminal. It allows users to:

• analyze, interpret, and generate code using AI;
• send text commands to the Gemini model and receive responses;
• review others’ code, generate functions, fix bugs, and perform other engineering tasks — all within the terminal.

Tracebit employee Sam Cox explained that “due to a toxic combination of incorrect validation, command injection through prompts, and a misleading interface, code viewing consistently leads to the silent execution of malicious commands.”

By embedding a “prompt injection” in a README.md file, which also contained the full text of the GNU Public License and was attached to a safe Python script, the expert was able to make Gemini transmit credentials using the env and curl commands to a remote server awaiting connection.

Initially, Google assigned the vulnerability discovered by Cox a priority of two and a severity level of four within the Bug Hunters program after receiving the report on June 27.

About three weeks later, the corporation reclassified the vulnerability as the most severe, requiring urgent and immediate attention, as it could lead to significant data leaks, unauthorized access, or arbitrary code execution.

Users are advised to update to Gemini version 0.1.14, which includes mechanisms to prevent shell command execution and implements measures against the described attack.

Enabling a “sandbox” — an isolated environment that protects the user’s system — also prevents the attack discovered by Cox.

However, upon installation, Gemini CLI is by default launched without a sandbox.

Back in June, the AI tool Xbow topped the leaderboard of white hat hackers who discovered and reported the most vulnerabilities in major companies’ software.