- Gemini could automatically run certain commands that were previously placed on an allow-list
- If a benign command was paired with a malicious one, Gemini could execute it without warning
- Version 0.1.14 addresses the flaw, so users should update now
A security flaw in Google’s new Gemini CLI tool allowed threat actors to target software developers with malware, even exfiltrating sensitive information from their devices, without them ever knowing.
The vulnerability was discovered by cybersecurity researchers from Tracebit just days after Gemini CLI was first launched on June 25, 2025.
Google released a fix with the version 0.1.14, which is now available for download.
Hiding the attack in plain sight
Gemini CLI is a tool that lets developers talk to Google’s AI (called Gemini) directly from the command line. It can understand code, make suggestions, and even run commands on the user’s device.
The problem stems from the fact that Gemini could automatically run certain commands that were previously placed on an allow-list. According to Tracebit, there was a way to sneak hidden, malicious instructions into files that Gemini reads, like README.md.
In one test, a seemingly harmless command was paired with a malicious one that exfiltrated sensitive information (such as system variables or credentials) to a third-party server.
Because Gemini thought it was just a trusted command, it didn’t warn the user or ask for approval. Tracebit also says the malicious command could be hidden using clever formatting, so users wouldn’t even see it happening.
“The malicious command could be anything (installing a remote shell, deleting files, etc),” the researchers explained.
The attack is not that easy to pull off, though. It requires a little setting up, including having a trusted command on the allow-list, but it could still be used to trick unsuspecting developers into running dangerous code.
Google has now patched the problem, and if you’re using Gemini CLI, make sure to update to version 0.1.14 or newer as soon as possible. Also, make sure not to run it on unknown, or untrusted code (unless you’re in a secure test environment).
Via BleepingComputer
