Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution
Summary
Google has fixed a critical severity vulnerability (CVSS 10) in its Gemini CLI, specifically within the npm package "@google/gemini-cli" and the GitHub Actions workflow "google-github-actions/run-gemini-cli". This flaw could have allowed unprivileged attackers to load malicious Gemini configurations and execute arbitrary commands on host systems.
IFF Assessment
This vulnerability allows for remote code execution, which is a significant threat to system security and defender capabilities.
Severity
The article states this is a maximum severity flaw that could allow an unprivileged external attacker to execute arbitrary commands, indicating high attack complexity, broad impact, and significant exploitability.
Defender Context
This critical vulnerability highlights the need for prompt patching of third-party software and supply chain components. Defenders should be aware of the potential for attackers to leverage compromised configurations or actions to gain unauthorized access and execute malicious code.