Exploiting Vulnerabilities in Gemini CLI Coding Tool

A major flaw has been discovered in Google's Gemini CLI coding tool, allowing hackers to run malicious commands. Within 48 hours, researchers exploiting the tool's default settings could clandestinely siphon sensitive data to servers under a hacker's control.

Gemini CLI, an open-source AI tool, integrates with Google's advanced Gemini 2.5 Pro model to assist developers in code creation via terminal environments. It differs from Gemini Code Assist, operating in a terminal window instead of a traditional text editor. As highlighted by technology reporter Ryan Whitwam, "it's essentially vibe coding from the command line."

Security firm Tracebit demonstrated how an attack could bypass the CLI's security measures, enabling harmful command execution. This involved coaxing the CLI into describing an attacker's code package and adding a non-threatening command to an allowed list.

The malicious package, indistinguishable from legitimate ones, hid subtle directives in a README.md file—a tactic that represents a significant threat to AI chatbot safety. While developers often overlook such files, Gemini CLI processes them thoroughly.

Vulnerabilities in the package chained together in a way that enabled the tool to execute commands secretly, unknowingly linking the user’s device to an attacker-controlled server.

A video demonstrating the exploit by Andy Smith showcases how these commands capture environmental variables from the device, which can sometimes include sensitive account credentials.

Sam Cox of Tracebit explained that although his demonstration exploit was controlled to exhibit minimal output, fully operational equivalents could execute commands as damaging as those used in sabotage attacks.

This included irreversible data deletions and denial-of-service attacks known as forkbombs, emphasizing the severe potential damages these exploits could unleash. Cox protested, "The same technique could be used for file deletions or establishing remote control over a user's machine."

In response to this threat, Google released an urgent fix to patch the vulnerability, acknowledging the significant risks with a high-priority rating.

Behind the Scenes: Prompt Injection Vulnerabilities

Prompt injections like those in the exploit take advantage of the challenges faced by AI systems in distinguishing genuine user requests from potentially harmful instructions. Such indirect prompt injections easily confuse models, leading them to execute harmful instructions inadvertently.

Gemini CLI's default setting is to disallow command execution without user approval. However, through the exploitation of improper validation and manipulated interfaces, the attacker could sneak in unsafe directives.

The exploit cleverly used 'grep,' a typically benign command, to encourage users to bypass frequent approvals by adding it to their allowed list. However, stacking non-benign commands like 'env' and 'curl' right after, the attack orchestrated data transfers to hacker-controlled destinations.

This tactic avoided detection by utilizing whitespace to mask malicious elements in command readouts, ensuring any command appeared innocuous when executed.

Why LLMs Are Vulnerable

AI's built-in propensity to please users, likened to AI sycophancy, underpins many vulnerabilities, as demonstrated in this exploit. The instructions, crafted to exploit this trait, went unnoticed as Gemini CLI adhered to these lines destructively yet dutifully.

The attack not only highlights Gemini's vulnerabilities but also displays contrasting exploit resilience in tools like Anthropic Claude and OpenAI Codex due to their robust allow-list mechanisms.

Users of Gemini CLI are advised to update to the latest version, 0.1.14, ensuring code executions occur only in controlled, sandboxed environments to curb risks.