Google has released urgent security updates for its Gemini CLI and the associated GitHub Action, addressing a critical vulnerability that exposes CI/CD pipelines to Remote Code Execution (RCE) attacks.
Tracked as GHSA-wpqr-6v78-jr5g, the flaw stems from improper handling of workspace trust and tool allowlisting, raising serious concerns about supply chain security across automated development workflows.
Security researchers Elad Meged from Novee Security and Dan Lisichkin from Pillar Security identified two distinct bypass methods at the core of this vulnerability.
Critical RCE Flaw in Gemini CLI and GitHub Action
The first involves headless mode behavior. When Gemini CLI runs in non-interactive environments, such as GitHub Actions, workspace folders are automatically trusted.
This allows attackers to execute malicious code via environment variables planted in untrusted directories, without user interaction or elevated privileges.
The second bypass targets Yolo execution mode, which previously ignored fine-grained tool allowlists. Attackers could exploit this to bypass access restrictions and achieve RCE via prompt injection.
In both cases, improper input validation failed to neutralize special characters, creating direct pathways for OS command injection.
This vulnerability is particularly dangerous in modern software supply chains. Automated pipelines routinely process user-submitted pull requests and public GitHub issues.
If a vulnerable Gemini CLI instance runs against an attacker’s untrusted repository without proper safeguards, it automatically loads malicious configuration files requiring no interaction from the target organization.
Once inside, threat actors could steal sensitive repository secrets, tamper with source code, or pivot deeper into the organization’s internal infrastructure.
The combination of network exploitability, no required privileges, and no user interaction elevates this flaw to critical severity.
Google’s Fixes and Recommended Actions
Google’s patches fundamentally overhaul how the Gemini CLI handles automated tasks. Headless modes now align with interactive modes, requiring explicit trust configurations before processing environment variables or external configuration files.
Organizations using these tools should act immediately by taking the following steps:
- Upgrade the NPM package for Gemini CLI to version 0.39.1 or 0.40.0-preview.3
- Update the GitHub Action to the patched version 0.1.22
- Add the workspace trust environment variable for workflows running on trusted internal inputs
- Implement strict tool allowlists for any workflows that process untrusted external inputs
- Audit all existing GitHub Actions that reference older, vulnerable CLI versions
Broader Implications
This incident underscores a growing attack surface in AI-assisted developer tooling integrated into CI/CD pipelines.
As AI-powered tools become embedded in software development workflows, ensuring they enforce proper trust boundaries is no longer optional; it’s a foundational security requirement. Organizations should treat this patch as a priority remediation given the potential for cascading supply chain compromise.
No Comment! Be the first one.