Vulnerability discovered in Google Gemini CLI, patch required
Google’s Gemini CLI tool was found to be seriously vulnerable within 48 hours of its launch. Researchers discovered how attackers could use prompt injection attacks to execute destructive commands and steal sensitive data without users noticing.
The attackers were able to hide malicious commands by adding lots of white space to the command lines, so that only the innocent part was visible in status messages. This allowed them to send environment variables to servers under their control without being noticed, information that often contains system settings and account details.
Sam Cox, founder of security company Tracebit, warns of the significant danger posed by this vulnerability. “The same technique works for extremely destructive commands such as ‘rm -rf /’ or fork bombs that crash systems. That’s exactly why I find this so worrying,” Cox said. Other similar tools from Anthropic and OpenAI were not found to be vulnerable to the same flaw.
Gemini CLI was only recently launched. It is a free open-source AI tool that helps developers write code in the terminal. It uses Google’s most powerful Gemini 2.5 Pro model. Researchers at Tracebit managed to bypass the built-in security measures via a seemingly innocent code repository.
