A new tool from Google, called Gemini CLI, has a serious security flaw that could let hackers access sensitive data from developers working with untrusted code repositories. The problem was found just a few weeks after the tool was launched, showing how quickly security issues can pop up in new software.

Gemini CLI is designed to help developers by letting them use natural language prompts to run commands and analyze code. It combines Google’s language models with traditional command line tools like PowerShell and Bash. This makes coding and debugging faster and easier. But, as with many new tools, it isn’t perfect.

How the Vulnerability Works

Within just two days of Gemini CLI’s release on June 25, security researchers from Tracebit spotted the first weaknesses. They created a proof of concept that showed how attackers could trick the tool using a simple-looking README.md file. This file is common in open source projects and normally just contains basic information about the project.

The researchers found that malicious prompts could be hidden inside these files. When the tool processed them, attackers could run harmful shell commands without the user realizing it. These commands could do anything, from stealing environment variables—possibly containing passwords or API keys—to installing remote shells or deleting files.

Key Weaknesses in the Tool

One of the main issues with Gemini CLI is its command allowlisting feature. This feature lets users specify certain commands that are safe to run often, like “grep,” without being prompted every time. That’s helpful, but the problem is that the allowlist doesn’t check if a command pretending to be “grep” is actually malicious.

This means an attacker could slip a harmful command into the allowlist by disguising it as a trusted command. Since Gemini CLI doesn’t perform enough validation, it would run the malicious command automatically, without asking the user for permission again. The attacker could hide these commands using extra spaces or special characters, making them hard to spot.

Tracebit’s researcher Sam Cox explained that this combination of prompt injection, poor user interface design, and weak validation makes the attack very effective and difficult to detect. They also tested similar tools and found that other AI coding assistants had better protections in place, making it harder or impossible for such exploits to succeed.

Google’s Response and Fixes

Google quickly responded to the findings. They released an update, Gemini CLI version 0.1.14, on July 25, that fixed the security flaws. Google’s team emphasized that their security approach includes multi-layered sandboxing, which isolates the tool from the rest of the system. They offer integrations with Docker, Podman, and macOS Seatbelt to keep the tool contained.

Google also makes it clear that users who choose not to use sandboxing will see a prominent warning during their sessions. This way, users are alerted to the risks if they run the tool outside of a secure environment. The company’s Vulnerability Disclosure Program thanked Tracebit for discovering the flaw and praised their quick response.

In the end, this incident shows that even cutting-edge AI tools need careful security measures. Developers should always run new tools in isolated environments to protect their systems. As AI continues to evolve, so does the need for ongoing security testing and updates. While the Gemini CLI flaw has been patched, experts warn that similar vulnerabilities may appear in other tools, emphasizing the importance of vigilance.

Inspired by

• https://www.csoonline.com/article/4030700/google-patches-gemini-cli-tool-after-prompt-injection-flaw-uncovered.html

Sources

• gmpg.org
• blog.google
• tracebit.com
• github.com
• podigee.com