Critical Security Patch: Google Resolves Maximum-Severity Flaw in Gemini CLI and GitHub Actions Integration

Overview of the Vulnerability

Google has rolled out an urgent security update for its Gemini CLI toolkit, addressing a critical vulnerability that could allow remote attackers to execute arbitrary commands on affected systems. The flaw, assigned a CVSS score of 10 — the highest severity rating — impacts two key components: the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow. This security hole has been closed to prevent potential exploitation that could lead to full system compromise.

Details of the Gemini CLI Flaw

The vulnerability resides in how Gemini CLI handles configuration loading. According to Google's advisory, "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration." This means an attacker with no prior access could inject a poisoned configuration file, which Gemini CLI would then trust and process. Because config files can contain command execution directives, this opens the door for remote code execution (RCE) in the context of the user running the CLI.

Gemini CLI is a command-line interface for interacting with Google's Gemini AI models, often used in automated pipelines within GitHub Actions workflows. The google-github-actions/run-gemini-cli action simplifies running Gemini commands from CI/CD jobs. If an attacker managed to inject a malicious configuration into a repository or environment where this action executes, they could trigger arbitrary code on the runner machine.

Attack Vector: Configuration Poisoning

The attack exploits a lack of validation on external configuration sources. By crafting a specially designed configuration file — perhaps hosted on a public URL or injected into a repository through a pull request — an adversary could force Gemini CLI to load it as if it were a legitimate config. The config file can include instructions to run shell commands, download payloads, or exfiltrate data. Since the CLI runs with the permissions of the user or service account (often broad in CI/CD environments), the impact is severe.

Impact on Users and Systems

This flaw is particularly dangerous because:

• No privileged access required: The attacker does not need any existing credentials or elevated permissions.
• CI/CD pipeline compromise: In GitHub Actions, a successful attack could lead to secret leaks, source code theft, or deployment of malicious artifacts.
• Wide attack surface: Anyone using the npm package or GitHub Action could be affected, including enterprises, open-source projects, and individual developers.

The CVSS 10 rating reflects that exploitation is relatively easy and the consequences — full system takeover — are maximal. Google’s security team considers this a must-fix issue.

Google's Response and Fix

Upon discovering the vulnerability (likely through internal or external disclosure), Google acted swiftly. The fix involved:

1. Updating the npm package to version 0.6.6 (or later) with improved configuration validation.
2. Patching the GitHub Action to prevent loading untrusted configuration sources.
3. Issuing security advisories to notify users of the update and the urgent need to upgrade.

Users are strongly advised to upgrade immediately to @google/gemini-cli@0.6.6 and the latest version of google-github-actions/run-gemini-cli. Google also recommends reviewing any custom configurations or workflows that might rely on external configuration files.

Recommendations for Developers

To mitigate similar risks in the future, follow these best practices:

• Pin dependencies: Use exact versions in your package.json and GitHub Actions workflow files to avoid automatically picking up vulnerable versions.
• Validate configurations: Never load configuration from untrusted external sources without strict validation and signing.
• Limit permissions: Run CLI tools and CI/CD jobs with the least privilege necessary.
• Monitor for advisories: Subscribe to Google's security notifications for Gemini and other tools.

Conclusion

The Gemini CLI CVSS 10 RCE flaw serves as a stark reminder that even well-maintained tools can harbor critical vulnerabilities. Google's rapid response and patch demonstrate a strong security posture, but the onus is on users to apply updates promptly. By staying vigilant and following secure configuration practices, developers can protect their systems from such attacks.

For more information, refer to the GitHub Security Advisory and Google's official disclosure. If you use Gemini CLI in your workflows, check your dependency versions now.