"From those credentials, the attacker pivots to a token with full write access on the repository. Full supply-chain compromise. The attacker can push arbitrary code to the main branch of gemini-cli's repository, which then ships to every downstream user."
"The security defect, assigned a CVSS score of 10/10 but no CVE identifier, existed because Gemini CLI in -yolo mode would ignore tool allowlists, leading to the execution of any command. According to Pillar Security, an attacker could have exploited the flaw by creating a public issue on a Google GitHub repository and hiding malicious prompts in its text."
"In addition to the tool allowlisting issue, the update also resolved a lax trust issue impacting Gemini CLI in headless mode, which automatically trusted the current workspace folder, loading any configuration or environment variable in it. This could have allowed attackers to access credentials, secrets, and source code across vulnerable CI workflows."
Gemini CLI, an open source AI agent providing terminal access to Google's Gemini AI assistant, contained a critical vulnerability in its -yolo mode that bypassed tool allowlists, automatically approving all command executions. Attackers could exploit this by injecting malicious prompts into public GitHub issues, allowing the AI agent to extract internal secrets from build environments and send them to attacker-controlled servers. With stolen credentials, attackers could gain full write access to repositories and push arbitrary code to main branches, compromising all downstream users. At least eight Google repositories shared the same vulnerable workflow template. Google patched the vulnerability in version 0.39.1 by implementing tool allowlisting evaluation in -yolo mode and addressing a related trust issue in headless mode that automatically loaded workspace configurations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]