A vulnerability in Google’s Gemini CLI gave attackers a way to run malicious commands and steal data from developers’ systems using approved programs without raising suspicion.
Security firm Tracebit discovered and reported the issue to Google on June 27. A fix was released in version 0.1.14, which became available on July 25.
Gemini CLI, introduced on June 25, 2025, is a command-line tool developed by Google that lets developers communicate with the Gemini AI model directly from their terminal.
The tool helps with coding tasks by loading project files into context and interacting with the large language model through natural language prompts.
Gemini can suggest code, write snippets, and even run commands on the user’s machine. It does this either with user approval or through a system that recognizes approved commands. Soon after the tool launched, Tracebit found it could be tricked into executing harmful commands. Combined with user interface weaknesses, these flaws could lead to undetected attacks.
The issue lies in how Gemini CLI reads "context files" like README.md and GEMINI.md. These files help the AI understand the codebase but can also be used to inject hidden instructions.
Tracebit set up a test repository with a harmless Python script and a README.md file containing a hidden attack. When Gemini CLI scanned the files, it first ran a safe command, then followed it with a harmful data exfiltration command disguised as trusted activity.
For example, the command began with 'grep' but included a semicolon that separated it from a second, hidden command. Because the first part was a known and approved command, Gemini ran the entire string without asking the user for confirmation.
According to Tracebit, Gemini treated the command as if it were just a simple grep request, when in fact it silently sent environment variables, including sensitive information, to a remote server.
The attack method also uses visual tricks like extra spacing to hide the second command in Gemini’s output, making it harder for users to notice what’s happening. While the attack depends on certain conditions like the user having approved specific commands, it still poses a serious risk. Persistent attackers could exploit it in many situations.
Gemini CLI users are advised to update to version 0.1.14, the latest release. They should also avoid running the tool on unknown or untrusted code, or use isolated environments if necessary.
Tracebit tested similar attacks on other AI coding assistants like OpenAI Codex and Anthropic Claude, but those tools were not vulnerable due to stricter command approval systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
