""The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration. This triggered command execution directly on the host system, bypassing security before the agent's sandbox even initialized.""
""In previous versions, Gemini CLI running in CI environments (headless mode) automatically trusted workspace folders for the purpose of loading configuration and environment variables. This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode.""
""If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini/ directory. An attacker could weaponize this behavior by planting a specially crafted configuration that could pave the way for code execution on the host running the agent.""
Google addressed a severe security vulnerability in the Gemini CLI npm package and GitHub Actions workflow, which could enable attackers to execute arbitrary commands on host systems. The flaw allowed unprivileged external attackers to load malicious content as Gemini configuration, triggering command execution before the agent's sandbox initialized. The issue affects specific versions of the Gemini CLI and Google Actions. Google advised that workflows using Gemini CLI in headless mode without folder trust require manual review to configure trust mechanisms, as automatic trust could lead to remote code execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]