Google Gemini security flaw could have let anyone access systems or run code

News
By published

Having an allow-list in Gemini CLI caused a few issues

Gemini on Android
(Image credit: Future / Chris Hall)
  • Gemini could automatically run certain commands that were previously placed on an allow-list
  • If a benign command was paired with a malicious one, Gemini could execute it without warning
  • Version 0.1.14 addresses the flaw, so users should update now

A security flaw in Google’s new Gemini CLI tool allowed threat actors to target software developers with malware, even exfiltrating sensitive information from their devices, without them ever knowing.

The vulnerability was discovered by cybersecurity researchers from Tracebit just days after Gemini CLI was first launched on June 25, 2025.

Google released a fix with the version 0.1.14, which is now available for download.

Hiding the attack in plain sight

Gemini CLI is a tool that lets developers talk to Google’s AI (called Gemini) directly from the command line. It can understand code, make suggestions, and even run commands on the user’s device.

The problem stems from the fact that Gemini could automatically run certain commands that were previously placed on an allow-list. According to Tracebit, there was a way to sneak hidden, malicious instructions into files that Gemini reads, like README.md.

In one test, a seemingly harmless command was paired with a malicious one that exfiltrated sensitive information (such as system variables or credentials) to a third-party server.

Because Gemini thought it was just a trusted command, it didn’t warn the user or ask for approval. Tracebit also says the malicious command could be hidden using clever formatting, so users wouldn’t even see it happening.

"The malicious command could be anything (installing a remote shell, deleting files, etc),” the researchers explained.

The attack is not that easy to pull off, though. It requires a little setting up, including having a trusted command on the allow-list, but it could still be used to trick unsuspecting developers into running dangerous code.

Google has now patched the problem, and if you’re using Gemini CLI, make sure to update to version 0.1.14 or newer as soon as possible. Also, make sure not to run it on unknown, or untrusted code (unless you’re in a secure test environment).

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.