A critical security issue in Google’s Gemini CLI tool allowed attackers to stealthily run malicious commands and steal data through allowlisted programs. The problem, discovered by Tracebit shortly after the tool’s June 25, 2025 release, was reported on June 27 and fixed in version 0.1.14, available since July 25. Gemini CLI is a terminal-based assistant that loads project files into context and can write or execute code, but flaws in how it parsed context files like README.md made it vulnerable to prompt injection. By planting hidden instructions inside these files, attackers could trick the tool into executing harmful commands without user confirmation if a trusted program was allowlisted.
Tracebit demonstrated the exploit by using a poisoned README.md that caused Gemini to treat a malicious data exfiltration command as part of a harmless grep command. Worse, attackers could hide the dangerous part of the output with formatting tricks, leaving users unaware. While the exploit required certain preconditions, it showed how AI assistants can be abused to leak sensitive information silently. Users are urged to update to the patched version and avoid scanning untrusted codebases outside of sandboxed environments.
Read more...