Google’s Gemini CLI tool was found to be seriously vulnerable within 48 hours of its launch. Researchers discovered how attackers could use prompt injection attacks to execute destructive commands and steal sensitive data without users noticing.
The attackers were able to hide malicious commands by adding lots of white space to the command lines, so that only the innocent part was visible in status messages. This allowed them to send environment variables to servers under their control without being noticed, information that often contains system settings and account details.
Sam Cox, founder of security company Tracebit, warns of the significant danger posed by this vulnerability. “The same technique works for extremely destructive commands such as ‘rm -rf /’ or fork bombs that crash systems. That’s exactly why I find this so worrying,” Cox said. Other similar tools from Anthropic and OpenAI were not found to be vulnerable to the same flaw.
Deception via README files
Gemini CLI was only recently launched. It is a free open-source AI tool that helps developers write code in the terminal. It uses Google’s most powerful Gemini 2.5 Pro model. Researchers at Tracebit managed to bypass the built-in security measures via a seemingly innocent code repository.
The attack is difficult to detect because attackers hide their instructions in README.md files of packages. Gemini CLI reads these files to understand the code, allowing natural language commands in README files to mislead the AI into performing dangerous actions.
Bypassing allow lists
The researchers exploited a critical weakness in the allow list mechanism. Gemini CLI blocks commands by default unless users explicitly give permission. Using prompt injection, attackers were able to get users to add the relatively harmless grep command to their allow list.
Once approved, the attackers added additional commands to the same line, separated by semicolons. The system only checked the first grep part against the whitelist, while the subsequent env and curl commands were given free access to system information.
Google classified the vulnerability as Priority 1 and Severity 1, the most serious possible rating. The company released a fix last week that blocks the attack technique. Gemini CLI users should upgrade to version 0.1.14 and only run untrusted codebases in sandbox environments.