A vulnerability in Google's Gemini CLI allowed attackers to silently execute malicious commands and exfiltrate data from developers' computers using allowlisted programs. Tracebit found it's possible to hide malicious instructions in these files to perform prompt injection, while poor command parsing and allow-list handling leave room for malicious code execution. "For the purposes of comparison to the whitelist, Gemini would consider this to be a 'grep' command, and execute it without asking the user again," explains Tracebit in the report. Furthermore, Gemini's output can be visually manipulated with whitespace to hide the malicious command from the user, so they're not aware of its execution. Setup README.md'), and then run a malicious data exfiltration command that is treated as a trusted action, not prompting the user to approve it. The tool can make recommendations, write code, and even execute commands locally, either by prompting the user first or by using an allow-list mechanism. Gemini CLI, first released on June 25, 2025, is a command-line interface tool developed by Google that enables developers to interact directly with Google's Gemini AI from the terminal. Tracebit researchers, who explored the new tool immediately after its release, found that it could be tricked into executing malicious commands. The command used in Tracebit's example appears to be grep, but after a semicolon (;), a separate data exfiltration command begins. The flaw was discovered and reported to Google by the security firm Tracebit on June 27, with the tech giant releasing a fix in version 0.1.14, which became available on July 25. Although the attack comes with some strong prerequisites, such as assuming the user has allow-listed specific commands, persistent attackers could achieve the desired results in many cases. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The exploit works by exploiting Gemini CLI's processing of "context files," specifically 'README.md' and 'GEMINI.md,' which are read into its prompt to aid in understanding a codebase. They demonstrated an attack by setting up a repository containing a benign Python script and a poisoned 'README.md' file, and then triggered a Gemini CLI scan on it. Gemini CLI interprets the entire string as safe to auto-execute if the user has allow-listed grep. Tracebit states that it tested the attack method against other agentic coding tools, such as OpenAI Codex and Anthropic Claude, but those aren't exploitable due to more robust allow-listing mechanisms.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 28 Jul 2025 19:45:18 +0000