Gemini

A critical vulnerability in Google's Gemini CLI, disclosed by Pillar Security, could have enabled a full supply-chain compromise of the open-source AI agent. The flaw, rated CVSS 10/10 but without a CVE identifier, stemmed from --yolo mode ignoring tool allowlists, allowing arbitrary command execution. An attacker could plant a malicious indirect prompt inside a public GitHub issue; when Gemini CLI auto-triaged the issue, the injected instructions could exfiltrate build-environment secrets and pivot to a token with full write access to the gemini-cli repository, enabling malicious code to ship to downstream users. At least eight other Google repositories shared the same vulnerable workflow. Separate Adversa.AI research (TrustFall) further shows Gemini CLI, alongside Claude Code, Cursor CLI, and Copilot CLI, will execute project-defined MCP servers from a malicious repository upon a single trust-prompt keypress, enabling one-click RCE.

• Gemini CLI Vulnerability Could Have Led to Code Execution, Suppl
• TrustFall: coding agent security flaw enables one-click RCE in C