A vulnerability in Google’s Gemini CLI allowed attackers to execute malicious commands and exfiltrate data from developers’ computers through allowlisted programs. Google released a fix in version 0.1.14 after security firm Tracebit discovered the flaw. #GoogleGemini #Tracebit #CLIExploits
Keypoints
- A security flaw in Google’s Gemini CLI enabled silent execution of malicious commands.
- The vulnerability involved processing of ‘README.md’ and ‘GEMINI.md’ files for prompt injection.
- Attackers could hide malicious instructions within allow-listed commands, leading to data exfiltration.
- Google issued a security update in version 0.1.14 to address the issue.
- Users are advised to avoid untrusted codebases and run Gemini in sandboxed environments.