Critical Vulnerability in Google Gemini CLI Could Allow Remote Code Execution (CVSS 10)

Introduction

Google has patched a maximum-severity security flaw in its Gemini command-line interface (CLI) tool, which could have allowed an attacker to remotely execute arbitrary commands on affected systems. The vulnerability, assigned a CVSS score of 10, impacted both the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow. This article details the nature of the flaw, its potential impact, and the steps taken by Google to address the issue.

The Vulnerability in Detail

According to Google's security advisory, the vulnerability stemmed from how Gemini CLI loaded its configuration. Specifically, the flaw allowed an unprivileged external attacker to force Gemini CLI to load malicious content as Gemini configuration. Once loaded, the malicious configuration could enable arbitrary command execution on the host system where the CLI was running.

The attack vector involved tricking the Gemini CLI into reading a configuration file or data stream that contained attacker-controlled instructions. Because the CLI processes configuration with elevated trust, the injected commands could be executed with the permissions of the user running the CLI—potentially leading to full system compromise.

CVSS 10: Maximum Severity

The Common Vulnerability Scoring System (CVSS) rating of 10 indicates the highest possible severity. This score reflects the fact that the vulnerability requires no authentication, no user interaction, and can be exploited remotely over a network. If an attacker successfully exploits the flaw, they could gain complete control over the affected system, including the ability to read, modify, or delete data, install malware, or pivot to other systems within the network.

Impacted Components

The vulnerability affected two primary distribution channels of the Gemini CLI:

• @google/gemini-cli npm package: Developers installing Gemini CLI via npm (Node Package Manager) were at risk if they used a vulnerable version (before the patch).
• google-github-actions/run-gemini-cli GitHub Action: Organizations that integrated Gemini CLI into their CI/CD pipelines using this GitHub Action were also exposed. The action automatically installs and runs the CLI within GitHub Actions runners, making them a tempting target for supply chain attacks.

How the Attack Would Work

To exploit this vulnerability, an attacker would need to craft a malicious Gemini configuration file or response. The attack could unfold in several ways:

1. Malicious Configuration File: An attacker could host a harmful configuration file on a publicly accessible URL. If a user or CI pipeline could be tricked into fetching that file (e.g., via a compromised dependency or man-in-the-middle attack), the Gemini CLI would load the malicious configuration and execute the embedded commands.
2. Supply Chain Injection: In a more advanced scenario, an attacker could inject the malicious configuration into a legitimate package or repository that the Gemini CLI trusts. When the CLI processes that configuration, the injected code runs.
3. GitHub Actions Compromise: Because the run-gemini-cli action runs in the context of the GitHub Actions runner, any command executed by the CLI would inherit the runner's credentials. This could allow an attacker to steal secrets, tamper with build artifacts, or access private repositories.

Google's Response and Fix

Upon discovering the vulnerability, Google's security team worked quickly to develop and release a patch. The fix involved tightening the validation of configuration sources and ensuring that Gemini CLI only loads configuration from trusted, authenticated channels. Users and organizations were urged to update to the latest version of the npm package and the GitHub Action immediately.

Google also issued a CVE (CVE-2025-XXXX) for the vulnerability and published a detailed advisory on its security blog. The advisory recommended that all users review their CI/CD pipelines and ensure that no untrusted configuration files are being processed.

Mitigation and Best Practices

To protect against this and similar vulnerabilities, consider the following measures:

• Update Immediately: Ensure that all installations of @google/gemini-cli are updated to the latest patched version. For GitHub Actions, update the google-github-actions/run-gemini-cli action version in your workflows.
• Audit External Dependencies: Review all third-party packages and actions used in your environment for similar trust issues. Use software composition analysis tools to identify vulnerable components.
• Restrict Network Access: If the Gemini CLI is used in CI/CD runners, limit the runner's outbound network access to only essential endpoints. This can reduce the risk of fetching malicious configurations.
• Enable Security Scanning: Integrate vulnerability scanning into your development pipeline to catch known vulnerabilities before they reach production.
• Monitor for Unusual Activity: Set up alerts for unexpected commands executed by Gemini CLI or its child processes.

Conclusion

The CVSS 10 vulnerability in Google Gemini CLI serves as a stark reminder that even trusted developer tools can harbor critical flaws. By understanding the attack vector and applying the necessary patches, organizations can reduce their risk of compromise. Google's rapid response and transparent disclosure exemplify responsible security practices, but the onus remains on users to stay vigilant and keep their software updated.

For further technical details, refer to the official Google Security Blog post (example link).