Critical Gemini CLI Flaw: Google’s AI Tool Allowed Silent Code Execution via Prompt Injection
A critical vulnerability has been discovered in Google’s newly released command-line interface tool, Gemini CLI, which could allow attackers to covertly execute malicious commands and exfiltrate data from developers’ machines—provided certain commands are permitted on the system.
The flaw was uncovered by security firm Tracebit just two days after the tool’s release. The issue was promptly reported to Google, and a patch was swiftly issued on July 25 in version 0.1.14, effectively addressing the vulnerability.
Gemini CLI, launched on June 25, 2025, serves as a terminal-based interface for interacting with Google’s Gemini AI. Designed as a developer assistant, the tool uploads project files into its context, enabling natural language interaction with the language model. Beyond generating code and offering suggestions, Gemini CLI can also execute local commands—either after user approval or automatically if the command is listed as allowed.
Upon release, Tracebit researchers began scrutinizing the tool and discovered that it could be exploited to run malicious commands without user awareness. The vulnerability lies in how Gemini CLI processes context: it parses the contents of files like README.md and GEMINI.md as contextual hints for understanding the project’s structure. However, these files can be manipulated to contain hidden prompt injections that trigger the execution of external commands.
Tracebit demonstrated how a seemingly harmless Python application could include a modified README file. The first command might appear benign—e.g., grep ^Setup README.md—but it is immediately followed by a semicolon and a second command that silently exports environment variables (potentially containing secrets) to a remote server. Since grep is pre-approved on the system, the entire command sequence is treated as trusted and runs automatically.
This encapsulates the essence of the exploit: due to shallow command parsing and an overly simplistic whitelist mechanism, Gemini CLI interprets the entire string as a permitted grep command, bypassing any prompt for confirmation. Furthermore, attackers can visually obfuscate the payload using whitespace, making the malicious segment nearly invisible to unsuspecting users.
As proof-of-concept, Tracebit published a video showcasing the exploit in action. While the attack requires specific conditions—such as pre-approved commands—it underscores a broader concern: tools operating in trusted development environments must be inherently resilient to such threats.
Tracebit emphasizes that this incident vividly illustrates the susceptibility of AI-powered tools to manipulation. Even seemingly innocuous actions can lead to dangerous outcomes when such tools are used in permissive environments.
Users of Gemini CLI are strongly advised to update immediately to version 0.1.14 and to refrain from analyzing unfamiliar repositories outside of sandboxed environments. Unlike Gemini CLI, similar tools—such as OpenAI Codex and Anthropic Claude—were found to be resilient against equivalent attack vectors, thanks to more stringent command execution safeguards.
