Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack

“From those credentials, the attacker pivots to a token with full write access on the repository. Full supply-chain compromise. The attacker can push arbitrary code to the main branch of gemini-cli’s repository, which then ships to every downstream user,”Pillar notes.At least eight other Google repositories had the same vulnerable workflow template deployed, the cybersecurity firm says.Googleaddressedthe vulnerability on April 24, in Gemini CLI version 0.39.1, which evaluates tool allowlisting under –yolo mode. Therun-gemini-cliGitHub Action was also updated.In addition to the tool allowlisting issue, the update also resolveda lax trust issueimpacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it.This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

At least eight other Google repositories had the same vulnerable workflow template deployed, the cybersecurity firm says.Googleaddressedthe vulnerability on April 24, in Gemini CLI version 0.39.1, which evaluates tool allowlisting under –yolo mode. Therun-gemini-cliGitHub Action was also updated.In addition to the tool allowlisting issue, the update also resolveda lax trust issueimpacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it.This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Googleaddressedthe vulnerability on April 24, in Gemini CLI version 0.39.1, which evaluates tool allowlisting under –yolo mode. Therun-gemini-cliGitHub Action was also updated.In addition to the tool allowlisting issue, the update also resolveda lax trust issueimpacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it.This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

In addition to the tool allowlisting issue, the update also resolveda lax trust issueimpacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it.This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows, potentially leading to supply chain attacks.Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Related:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Related:Critical GitHub Vulnerability Exposed Millions of RepositoriesRelated:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Related:Google Antigravity in Crosshairs of Security Researchers, CybercriminalsRelated:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Related:OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek