Google Gemini security flaw could have let anyone access systems or run code
Gemini could automatically run certain commands that were previously placed on an allow-list
If a benign command was paired with a malicious one, Gemini could execute it without warning
Version 0.1.14 addresses the flaw, so users should update now
A security flaw in Google's new Gemini CLI tool allowed threat actors to target software developers with malware, even exfiltrating sensitive information from their devices, without them ever knowing.
The vulnerability was discovered by cybersecurity researchers from Tracebit just days after Gemini CLI was first launched on June 25, 2025.
Google released a fix with the version 0.1.14, which is now available for download.
Hiding the attack in plain sight
Gemini CLI is a tool that lets developers talk to Google's AI (called Gemini) directly from the command line. It can understand code, make suggestions, and even run commands on the user's device.
The problem stems from the fact that Gemini could automatically run certain commands that were previously placed on an allow-list. According to Tracebit, there was a way to sneak hidden, malicious instructions into files that Gemini reads, like README.md.
In one test, a seemingly harmless command was paired with a malicious one that exfiltrated sensitive information (such as system variables or credentials) to a third-party server.
Because Gemini thought it was just a trusted command, it didn't warn the user or ask for approval. Tracebit also says the malicious command could be hidden using clever formatting, so users wouldn't even see it happening.
"The malicious command could be anything (installing a remote shell, deleting files, etc),' the researchers explained.
The attack is not that easy to pull off, though. It requires a little setting up, including having a trusted command on the allow-list, but it could still be used to trick unsuspecting developers into running dangerous code.
Google has now patched the problem, and if you're using Gemini CLI, make sure to update to version 0.1.14 or newer as soon as possible. Also, make sure not to run it on unknown, or untrusted code (unless you're in a secure test environment).
Via BleepingComputer
You might also like
Google says Gemini is being misused to launch major cyberattacks
Take a look at our guide to the best authenticator app
We've rounded up the best password managers
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
an hour ago
- Yahoo
Google slugged $55m over Telstra, Optus deal
Tech giant Google has agreed to pay a $55m fine for a deal with Australia's major telcos aimed at reducing search competition. According to the ACCC, the deal involved Telstra and Optus pre-installing only Google Search on Android phones the telcos sold to consumers. In return, Telstra and Optus would receive a share of the revenue generated from ads displayed to consumers via Google Search on these devices. The ACCC said by pre-installing Google Search engines on these devices, the telcos and tech giant engaged in anticompetitive business practices. The ACCC said the breaches in competition laws occurred between December 2019 and March 2021. Google admitted that this relationship with the telcos substantially lessened competition, the ACCC said. The proceedings started on Monday in the Federal Court, with Google admitting liability and agreeing to pay $55m. 'Conduct that restricts competition is illegal in Australia because it usually means less choice, higher costs or worse service for consumers,," ACCC chair Gina Cass-Gottlieb said. Telstra, Optus and TPG last year agreed with the ACCC not to enter into new search exclusive deals with Google. 'Today's outcome, along with Telstra, Optus and TPG's undertakings, have created the potential for millions of Australians to have greater search choice in the future and for competing search providers to gain meaningful exposure to Australian consumers,' Ms Cass-Gottlieb said. The three telcos could configure search services on a device-by-device basis and in ways that may not align with Google settings, the ACCC said. It said Google didn't agree with all of the ACCC's concerns but gave an undertaking to address them.
Forbes
3 hours ago
- Forbes
Amazon's App Store Decision—48 Hours To Delete Your Apps
You have been warned. Amazon has confirmed that 'starting August 20, 2025, you will no longer have access to the Amazon Appstore on your Android device.' That's just 48 hours from now. The retail giant says it will now focus its efforts on its own devices. For anyone who has installed an app from the store, this is a potential security threat and you need to act before the deadline. All apps must be deleted. Per Android Police, 'once no longer supported, apps downloaded via the Amazon Appstore "will not be guaranteed to operate on Android devices." That means no support, which not only risks apps becoming 'highly unstable' but also means any security vulnerabilities will not be patched. While Amazon's advice is to install replacement or replica apps from Google's Play Store, you actually need to do more than that. Any apps you may have installed from Amazon's store need to be deleted. If they remain on your phone in an unsupported state, then it outs your device and your data at risk. Amazon also confirms that 'we will also be discontinuing the Amazon Coins program on August 20, 2025.' Those who have used the store and still have Amazon Coins will see those refunded, albeit details on how and when that will be done seem scarce. Android users should focus on Play Store only for apps, it remains your best bet when it comes to security safeguards and works in tandem with Android's core OS and the Play ecosystem that underpins it. That includes Play Protect, which protects your phone from dangerous apps from any source. It's also worth noting that Google is pushing a wider clampdown in third-party stores with its new Advanced Protection Mode, albeit Amazon would no doubt have been seen as an official store for all phones had it continued longer term.
Yahoo
3 hours ago
- Yahoo
Australian regulator sues Google over anti-competitive Search deals
(Reuters) -Australia's competition regulator said on Monday it has begun proceedings against Alphabet's Google over its past deals with telecom operators Telstra and Optus for the pre-installation of Google Search on Android mobile phones. Google has cooperated with the regulator, admitted liability and agreed to jointly submit to the Federal Court that it should pay a total penalty of A$55 million ($35.8 million), the Australian Competition and Consumer Commission (ACCC) said. ($1 = A$1.5349)
