# Google Patches Critical CVSS 10 Remote Code Execution Flaw in Gemini CLI


Google has resolved a maximum-severity security vulnerability affecting its Gemini CLI tooling that could have allowed remote code execution on developer systems and CI/CD pipelines. The flaw, discovered and patched in the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow, represented a critical supply chain risk capable of compromising automated build environments at scale.


## The Vulnerability


The vulnerability stems from an improper configuration handling mechanism in Gemini CLI that permitted unprivileged external attackers to inject malicious content into the tool's configuration. Rather than requiring elevated privileges or direct system access, the flaw allowed remote actors to force arbitrary code to execute by manipulating how Gemini CLI loaded its configuration files.


According to the disclosure, the vulnerability achieved a CVSS v3.1 score of 10.0 — the highest possible severity rating — indicating it presented an unmitigated risk to affected systems with no required user interaction beyond normal tool usage.


## Technical Details


### Configuration Injection Mechanism


The root cause centers on how Gemini CLI resolved and loaded configuration data. The tool failed to properly validate the source and integrity of configuration inputs before processing them. An external attacker could craft a malicious configuration that, when loaded by the CLI or the corresponding GitHub Actions workflow, would execute arbitrary commands with the privileges of the user or service account running the tool.


This type of vulnerability is particularly dangerous in CI/CD contexts, where such commands could:


  • Steal credentials and secrets stored in environment variables
  • Modify source code before compilation or deployment
  • Inject malicious dependencies into build artifacts
  • Exfiltrate intellectual property and proprietary code
  • Establish persistent access through backdoored releases

    • ### GitHub Actions Workflow Exposure


    The "google-github-actions/run-gemini-cli" GitHub Actions workflow compounded the risk by automating Gemini CLI execution in repository pipelines. Organizations using this action to lint, test, or validate code during pull requests or commits exposed their entire CI/CD chain to compromise. An attacker could leverage the vulnerability to gain code execution within GitHub's runner environment, accessing secrets and write permissions to the repository.


    ## Impact and Scope


    ### Affected Systems


    The vulnerability impacted:


  • Direct users of the "@google/gemini-cli" npm package integrated into Node.js projects
  • GitHub Actions users consuming the official "google-github-actions/run-gemini-cli" action in their workflows
  • Organizations with automated linting, testing, or deployment pipelines that invoked Gemini CLI

    • ### Supply Chain Implications


    This vulnerability exemplified a broader supply chain risk: compromised developer tools in widely-adopted workflows can cascade impacts across hundreds or thousands of downstream projects. A successful exploit could have poisoned:


  • Open-source libraries published to npm
  • Internal company applications deployed through compromised CI/CD
  • Security scanning results that developers rely on
  • Automated code quality gates in enterprise environments

    • Any organization relying on Gemini CLI for automated processes faced potential compromise without their direct knowledge.


    ## Why CVSS 10.0?


    The maximum CVSS score reflects several compounding factors:


    | Factor | Why It Matters |

    |--------|----------------|

    | Attack Vector: Network | Exploitation required no physical or local access |

    | Attack Complexity: Low | No special conditions; any external actor could exploit it |

    | Privileges Required: None | Attackers didn't need authentication or elevated credentials |

    | User Interaction: None | The tool triggered vulnerability automatically during normal use |

    | Scope: Changed | Malicious code executed beyond the CLI's intended boundaries |

    | Confidentiality: High | Attackers could steal secrets, keys, and source code |

    | Integrity: High | Attackers could modify code, configs, and artifacts |

    | Availability: High | Attackers could disable or destroy systems |


    ## Remediation


    ### Immediate Actions


    1. Update Immediately


    Organizations should prioritize updating to patched versions:

  • Update "@google/gemini-cli" to the latest secure release via npm
  • Update workflows referencing "google-github-actions/run-gemini-cli" to the fixed action version
  • If pinned to specific versions, remove version locks and update to the latest patch

    • 2. Audit CI/CD Logs


    Review CI/CD pipeline execution logs dating back several months to identify:

  • Unexpected command execution
  • Unusual environment variable access
  • Network connections to unfamiliar destinations
  • Build artifacts with unexplained modifications

    • 3. Rotate Secrets


    Assume any credentials exposed through CI/CD environment variables may be compromised:

  • Regenerate API keys, tokens, and SSH keys
  • Reset database passwords used in pipelines
  • Revoke GitHub personal access tokens and PATs used in workflows
  • Update cloud provider credentials

    • ### Long-Term Practices


    Principle of Least Privilege


  • Grant CI/CD service accounts only the minimum permissions required
  • Use environment-specific credentials (separate keys for staging vs. production)
  • Implement short-lived tokens with expiration windows

    • Configuration Security


  • Store sensitive configuration in secrets managers, not in code or config files
  • Validate configuration sources before processing
  • Use signed configurations where possible
  • Audit which tools can modify or override configuration

    • Supply Chain Oversight


  • Monitor npm package updates and security advisories proactively
  • Pin GitHub Actions to specific commit SHAs rather than mutable tags
  • Regularly audit dependencies for known vulnerabilities using tools like Snyk or npm audit
  • Subscribe to security notifications from critical tool vendors

    • ## Recommendations for Organizations


    For Development Teams:


  • Update Gemini CLI and related GitHub Actions immediately
  • Test build pipelines after updates to ensure functionality
  • Review CI/CD logs for suspicious activity dating back 90 days

    • For Security Teams:


  • Audit inventory of all Gemini CLI usage across repositories and pipelines
  • Implement controls requiring approval for GitHub Actions workflow updates
  • Deploy secrets scanning on all repositories to detect exposed credentials

    • For Infrastructure Teams:


  • Ensure CI/CD runners operate with minimal required permissions
  • Implement network segmentation isolating build environments
  • Log and monitor all outbound connections from CI/CD systems

    • ## Conclusion


    The Gemini CLI vulnerability underscores a critical reality in modern software development: developer tools and automation platforms represent high-value attack targets. A single unpatched tool in a CI/CD pipeline can compromise entire organizations' codebases, secrets, and infrastructure.


    Google's swift patching demonstrates responsible disclosure and vendor cooperation. Organizations must now respond with equal urgency — updating affected tools, auditing logs for compromise, and implementing defense-in-depth controls to prevent similar attacks in the future. In an ecosystem where automation is essential, security controls over that automation are equally indispensable.