"Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval. An attacker who could plant a malicious configuration in that folder could cause the AI agent to execute arbitrary commands on the host before sandbox initialization."
"Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach."
"AI coding agents now sit inside CI/CD pipelines holding the execution privileges of a trusted contributor, reading from the same workspaces a contributor would touch. This level of access can lead to critical supply-chain attacks, the type that stem from the developer workflow itself."
Researchers discovered a remote code execution vulnerability in Gemini CLI, an open-source AI agent. The vulnerability allowed attackers to execute arbitrary commands by planting malicious configurations in the workspace folder. This could lead to unauthorized access to secrets and credentials within CI/CD pipelines. The researchers emphasized that AI coding agents have significant access, which can facilitate critical supply chain attacks. The vulnerability was patched by Google, but it highlights the risks associated with AI agents in developer workflows.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]