A critical security vulnerability was discovered in Google’s Gemini CLI tool just days after its launch on June 25, 2025, posing a significant risk to software developers.
The Gemini CLI tool is designed to enable developers to interact with Google’s AI directly from the command line, providing code suggestions and executing commands on the user’s device. Cybersecurity researchers from Tracebit identified the flaw, which could have allowed threat actors to target developers with malware and exfiltrate sensitive information from their devices without detection. The vulnerability stemmed from the tool’s ability to automatically run commands from an allow-list.
Researchers found that malicious instructions could be hidden in files that Gemini reads, such as README.md files. According to Tracebit, attackers could pair seemingly harmless commands with malicious ones, using formatting tricks to conceal the dangerous code. In testing, researchers demonstrated how a malicious command could exfiltrate sensitive information like system variables or credentials to a third-party server without the user’s knowledge or approval. “The malicious command could be anything (installing a remote shell, deleting files, etc),” the researchers explained.
While the attack required some setup, including having a trusted command on the allow-list, it posed a significant risk to unsuspecting developers. Google has since addressed the vulnerability with the release of version 0.1.14. Users are strongly advised to update to this version or newer immediately and avoid running Gemini CLI on untrusted code unless in a secure test environment.
