"This vulnerability had nothing to do with prompt injection or the model 'deciding' to act maliciously. It was an infrastructure-level issue, where attacker-controlled content was silently accepted as trusted configuration and executed before any sandbox was initialized."
"This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode. If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini/ directory."
Google has addressed a critical CVSS 10.0 vulnerability in Gemini CLI, particularly affecting its headless mode and GitHub Actions. The flaw arises from over-permissive workspace trust settings, allowing untrusted folders to be treated as trusted. This could lead to remote code execution through malicious environment variables. The vulnerability was discovered by researchers studying CI/CD supply chain attack vectors. Google is in the process of assigning a CVE for the issue, and a bug bounty was awarded for the discovery.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]