Google’s Gemini CLI tool, launched on June 25, 2025, was found to contain a security flaw shortly after its release. Cybersecurity researchers at Tracebit discovered the vulnerability, which could have allowed threat actors to target developers with malware and exfiltrate data without their knowledge. Google has since released version 0.1.14 to address the issue.
The security flaw stemmed from Gemini CLI’s ability to automatically execute commands from a pre-approved allow-list. Tracebit researchers found that malicious instructions could be hidden within files such as README.md, which Gemini CLI reads. This allowed attackers to pair malicious commands with trusted ones.
In a test conducted by Tracebit, a seemingly harmless command was combined with a malicious command that exfiltrated sensitive information, including system variables and credentials, to an external server. Because Gemini CLI recognized the trusted command, it didn’t alert the user or request permission before executing the paired malicious command. Tracebit indicated that the malicious command could be concealed using specific formatting techniques, making it difficult for users to detect.
Shuyal malware is stealing data from 19 different browsers
“The malicious command could be anything (installing a remote shell, deleting files, etc),” the researchers explained, highlighting the potential severity of the vulnerability. While exploiting the flaw required some initial setup, including the presence of a trusted command on the allow-list, it presented a significant risk to developers using the tool.
Google addressed this vulnerability with the release of Gemini CLI version 0.1.14. Users are strongly advised to update to this version, or a newer one, as soon as possible. It is also recommended to exercise caution when running Gemini CLI on unfamiliar or untrusted code, unless operating within a sandboxed or secure testing environment, to avoid potential exploitation of this or other vulnerabilities.
