A critical remote code execution vulnerability was recently discovered by researchers in Gemini CLI, an open source AI agent designed to provide lightweight access to Gemini directly from a terminal.
The vulnerability, patched by Google in both Gemini CLI and the ‘run-gemini-cli’ GitHub Action, was identified by researchers at Novee Security.
The researchers noticed that “Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval.”
An attacker who could plant a malicious configuration in that folder could cause the AI agent to execute arbitrary commands on the host before sandbox initialization.
“Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach,” Novee researchers explained.
According to the researchers, a threat actor could have exploited the vulnerability to steal tokens and gain lateral movement to downstream systems.
In the context of a CI/CD pipeline, the attacker could have leveraged the vulnerability to carry out a supply chain attack.
Novee researchers noted:
“AI coding agents now sit inside CI/CD pipelines holding the execution privileges of a trusted contributor, reading from the same workspaces a contributor would touch. This level of access can lead to critical supply-chain attacks, the type that stem from the developer workflow itself.”
The attack did not involve any prompt injection or model decision.
A different team of researchers recently demonstrated that AI agents associated with Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent could be hijacked via malicious GitHub comments.
Related: Critical GitHub Vulnerability Exposed Millions of Repositories
Related: Google Antigravity in Crosshairs of Security Researchers, Cybercriminals
Related: Checkmarx Confirms Data Stolen in Supply Chain Attack
