A vital vulnerability in Gemini CLI might have allowed attackers to mount a provide chain assault through oblique prompts injected right into a GitHub difficulty, Pillar Safety warns.
Gemini CLI is the open supply AI agent that gives entry to Google’s Gemini AI assistant straight from a terminal.
The security defect, assigned a CVSS rating of 10/10 however no CVE identifier, existed as a result of Gemini CLI in –yolo mode would ignore software allowlists, resulting in the execution of any command.
In line with Pillar Safety, an attacker might have exploited the flaw by making a public difficulty on a Google GitHub repository and hiding malicious prompts in its textual content.
As a result of in –yolo mode all software calls are routinely accredited, the attacker might take over the AI agent designed to routinely triage the user-submitted GitHub difficulty.
Based mostly on the injected directions, the agent might extract inside secrets and techniques from the construct setting and ship them to an attacker-controlled server.
“From these credentials, the attacker pivots to a token with full write entry on the repository. Full supply-chain compromise. The attacker can push arbitrary code to the principle department of gemini-cli’s repository, which then ships to each downstream consumer,” Pillar notes.
A minimum of eight different Google repositories had the identical weak workflow template deployed, the cybersecurity agency says.
Google addressed the vulnerability on April 24, in Gemini CLI model 0.39.1, which evaluates software allowlisting beneath –yolo mode. The run-gemini-cli GitHub Motion was additionally up to date.
Along with the software allowlisting difficulty, the replace additionally resolved a lax belief difficulty impacting Gemini CLI in headless mode, which routinely trusted the present workspace folder, loading any configuration or setting variable in it.
This might have allowed attackers to entry credentials, secrets and techniques, and supply code throughout weak CI workflows, probably main to provide chain assaults.
