Google Patches CVSS 10.0 RCE in Gemini CLI — Fix May Break CI/CD Pipelines
Google has patched a critical remote code execution vulnerability in Gemini CLI that could allow attackers to compromise CI/CD pipelines via malicious workspace configuration files.
Google has patched a critical remote code execution vulnerability in its Gemini command-line interface (CLI) tool, assigning it a CVSS score of 10.0. The flaw, discovered independently by researchers at Novee Security and Pillar Security, stems from an over-permissive workspace trust mechanism in Gemini CLI's headless mode. When running in headless mode — commonly used in CI/CD pipelines and by AI agents — the tool automatically trusts any workspace folder it is active in, loading configuration files and environment variables from the local `.gemini/` directory without user verification. An attacker who can place a malicious `.gemini/` directory into a workspace can achieve remote code execution on the host running the agent.
Novee researcher Elad Meged, who discovered the vulnerability, emphasized that this is not a prompt injection or model-level issue. "It was an infrastructure-level issue, where attacker-controlled content was silently accepted as trusted configuration and executed before any sandbox was initialized," Meged told The Register. The vulnerability affects both the Gemini CLI itself and the `run-gemini-cli` GitHub Action, which is widely used in automated workflows. A CVE is pending assignment, according to Google.
The impact of exploitation is severe. In tests conducted by Novee across multiple workflows, the vulnerability consistently allowed code execution on the host running the agent. "Code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach," the Novee team explained. "Enough for token theft, supply-chain pivots, and lateral movement into downstream systems." This makes the flaw a prime vector for supply chain attacks, as compromised CI/CD pipelines can be used to inject malicious code into downstream software.
Google has released fixes in Gemini CLI versions 0.39.1 and 0.40.0-preview.3. The update changes headless mode to require explicit user trust before loading workspace configuration files, aligning it with the behavior of interactive mode. However, the fix may cause significant disruption for users who rely on the previous automatic trust behavior. The `run-gemini-cli` GitHub Action defaults to the newest Gemini CLI release unless users pin a specific version, meaning many workflows will automatically receive the update and may break.
"GitHub Actions and other automated pipelines that rely on the previous automatic trust behavior will fail to load workspace-specific settings until they are updated to use explicit trust mechanisms," Google warned in its advisory. Additionally, the update modifies the behavior of the `--yolo` mode, which previously bypassed fine-grained tool allowlists and automatically approved agent actions. In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under `--yolo` mode, potentially causing workflows that depended on the old behavior to fail silently unless tool allowlists are updated.
Organizations using Gemini CLI in CI/CD environments should immediately review their workflows. Google recommends that users pin specific CLI versions and update their configurations to use explicit trust mechanisms. The update is necessary to close a critical security hole, but it requires proactive management to avoid pipeline failures. As AI agents and CLI tools become more deeply integrated into development and deployment pipelines, this vulnerability highlights the growing attack surface presented by automated trust decisions in infrastructure tools.
The discovery and disclosure of this vulnerability underscore the importance of rigorous security review for AI-powered development tools. With the rapid adoption of AI coding assistants and autonomous agents, vulnerabilities in their underlying infrastructure can have cascading effects across the software supply chain. Organizations should treat AI CLI tools with the same security scrutiny as any other critical infrastructure component, and ensure that trust mechanisms are explicitly configured rather than implicitly granted.