Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
The vulnerability consists of improper input validation in the operating system command used in the container execution module (CWE-20 / Improper Input Validation / command injection). An attacker can place a maliciously crafted .gemini/.env file in a repository or project, and its contents will be passed to the system command without proper sanitization. As a result, code contained in the file is executed on the host before the sandbox isolation mechanisms are activated, completely bypassing containerization security on headless CI platforms.
An attacker can achieve full remote code execution (RCE) at the host system level before entering the sandbox environment, which can lead to compromise of the entire CI/CD environment, theft of secrets and tokens, and lateral movement within the infrastructure.
Immediately update Google Gemini CLI to version 0.39.1 or later and GitHub Action run-gemini-cli to version 0.1.22 or later. Additionally, it is recommended to review the contents of .gemini/.env files in repositories for unauthorized modifications and restrict access to CI pipelines from untrusted code sources.
Google Gemini CLI in versions prior to 0.39.1 and GitHub Action run-gemini-cli in versions prior to 0.1.22, used on headless CI platforms.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:ClearGoogle Gemini Cli
APPGoogle0.40.0< 0.39.1Google Run Gemini Cli
APPGoogle< 0.1.22
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox