Gemini CLI Critical RCE Fix: Patching the @google/gemini-cli Flaw

Google has issued a critical security update for its Gemini developer toolchain, addressing a maximum-severity flaw that could lead to unauthorized code execution in automated build environments. The vulnerability centers on the @google/gemini-cli npm package and the associated google-github-actions/run-gemini-cli GitHub Action. According to The Hacker News, the flaw carries a CVSS score of 10.0, the highest possible rating, due to the ease of exploitation and the significant impact on Supply Chain Attack surface areas.

Technical Analysis of the Gemini CLI Configuration Injection

The vulnerability stems from how the Gemini command-line interface handles its configuration files. An unprivileged external attacker could manipulate the environment to force the tool to load a malicious configuration file instead of the intended system or user settings. Because these tools are frequently integrated into CI/CD pipelines, this injection allows for RCE on the runner or host system performing the build.

When the google-github-actions/run-gemini-cli action is triggered, it typically operates with the permissions of the GitHub runner. If an attacker can influence the configuration being loaded—for instance, through a malicious pull request or by exploiting external inputs that feed into the configuration path—they can execute arbitrary shell commands. This bypasses traditional security boundaries, as the attacker does not need direct access to the repository to trigger the malicious execution path. This type of flaw is particularly dangerous because CI/CD environments often have access to sensitive secrets, API keys, and deployment credentials.

How to detect @google/gemini-cli RCE exploit in CI workflows

Security teams must focus on identifying unusual configuration loading patterns to defend against this threat. Defenders can monitor for unexpected file creation in temporary directories or changes to the environment variables that the Gemini CLI references during runtime. Utilizing an EDR solution on self-hosted runners to flag unauthorized child process spawning from the npm or node processes is a primary detection strategy. Furthermore, analyzing SIEM logs for outbound C2 traffic from build runners can help identify successful compromises where an attacker attempts to exfiltrate secrets after achieving execution.

Impact on DevOps and CI/CD Security

The integration of AI-driven tools into the software development lifecycle introduces new vectors for Lateral Movement. If an attacker gains control of a runner via the Gemini CLI, they may attempt to access the repository’s GITHUB_TOKEN or other environment secrets. This could lead to a broader compromise of the organization’s infrastructure. Organizations must apply Zero Trust principles to their build environments, ensuring that runners are ephemeral and have the least privilege necessary to perform their tasks.

Google-github-actions/run-gemini-cli vulnerability mitigation

The most effective mitigation is to upgrade all instances of the affected tools. Google has released patches that harden the configuration loading mechanism, preventing the tool from accepting unauthorized overrides from external or unprivileged sources.

Defenders should implement the following steps:

• Update NPM Packages: Ensure that all projects using @google/gemini-cli are updated to the latest version via npm update or by manually pinning the secure version in package.json.
• Audit GitHub Actions: Review all workflow YAML files. Ensure that google-github-actions/run-gemini-cli is pointing to the latest tagged release or a specific secure commit SHA.
• Restrict Action Inputs: As a general TTP for securing pipelines, avoid passing untrusted user input directly into CLI arguments or configuration parameters without strict validation.

By prioritizing these updates, organizations can secure their CI/CD pipeline security for Gemini CLI and prevent attackers from leveraging AI developer tools as a gateway for broader network intrusion.