A critical vulnerability in Gemini CLI could have allowed attackers to mount a supply chain attack via indirect prompts injected into a GitHub issue, Pillar Security warns.
Gemini CLI is the open source AI agent that provides access to Google’s Gemini AI assistant directly from a terminal.
The security defect, assigned a CVSS score of 10/10 but no CVE identifier, existed because Gemini CLI in –yolo mode would ignore tool allowlists, leading to the execution of any command.
According to Pillar Security, an attacker could have exploited the flaw by creating a public issue on a Google GitHub repository and hiding malicious prompts in its text.
Because in –yolo mode all tool calls are automatically approved, the attacker could take over the AI agent designed to automatically triage the user-submitted GitHub issue.
Based on the injected instructions, the agent could extract internal secrets from the build environment and send them to an attacker-controlled server.
“From those credentials, the attacker pivots to a token with full write access on the repository. Full supply-chain compromise. The attacker can push arbitrary code to the main branch of gemini-cli’s repository, which then ships to every downstream user,” Pillar notes.
At least eight other Google repositories had the same vulnerable workflow template deployed, the cybersecurity firm says.
Google addressed the vulnerability on April 24, in Gemini CLI version 0.39.1, which evaluates tool allowlisting under –yolo mode. The run-gemini-cli GitHub Action was also updated.
In addition to the tool allowlisting issue, the update also resolved a lax trust issue impacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it.
This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.
Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments
Related: Critical GitHub Vulnerability Exposed Millions of Repositories
Related: Google Antigravity in Crosshairs of Security Researchers, Cybercriminals
Related: OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal
