Max-severity RCE flaw found in Google Gemini CLI
Summary
A critical remote code execution (RCE) vulnerability has been discovered in Google Gemini CLI, specifically affecting the @google/gemini-cli package and its associated GitHub Action. This flaw allows attackers to inject malicious configurations into trusted workspace folders, leading to command execution on the host system, particularly in CI/CD environments that process untrusted inputs.
IFF Assessment
This vulnerability allows for remote code execution, posing a significant threat to systems processing untrusted inputs.
Severity
The vulnerability allows for remote code execution with high impact, affecting Confidentiality, Integrity, and Availability. It has a low attack complexity and requires no privileges, making it highly exploitable.
Defender Context
Defenders should prioritize patching or updating the Gemini CLI and the run-gemini-cli GitHub Action to the fixed versions immediately. Organizations using these tools in CI/CD pipelines must ensure they are not processing untrusted inputs without proper sanitization or validation to prevent potential RCE attacks.