Securing Google Gemini CLI: Understanding and Mitigating the RCE Vulnerability

Overview

In early 2025, Google patched a critical remote code execution (RCE) vulnerability in its Gemini CLI tool—the @google/gemini-cli npm package and the associated google-github-actions/run-gemini-cli GitHub Action. This flaw, rated CVSS 10 (maximum severity), could allow an unprivileged external attacker to force malicious content into the Gemini configuration file, leading to arbitrary command execution on any system running the CLI. This guide explains the vulnerability, how to identify affected environments, step-by-step remediation, and common pitfalls to avoid. Whether you're a developer using Gemini CLI locally or in CI/CD pipelines, understanding this issue is essential to maintaining secure AI-assisted workflows.

Securing Google Gemini CLI: Understanding and Mitigating the RCE Vulnerability — Source: feeds.feedburner.com

Prerequisites

Before you begin, ensure you have:

Basic familiarity with command-line interfaces – You'll need to run terminal commands.
Access to systems using Gemini CLI – Either your local machine, a build server, or a GitHub Actions runner.
Node.js and npm installed (for checking the npm package version) – Step 3 requires this.
GitHub Actions experience (optional) – Understanding workflows helps in Step 2.
Sudo/administrator privileges – Updating system-wide packages may require elevated rights.

Step-by-Step Guide

1. Understanding the Vulnerability

The issue stemmed from how Gemini CLI loaded its configuration file (.gemini/config.yml or gemini.config.js by default). Under certain conditions, the tool would accept external configuration data from untrusted sources (e.g., environment variables, network origins, or malformed inputs). An attacker could craft a malicious payload that, when processed, would execute arbitrary commands on the host machine. This is a classic configuration injection leading to RCE.

Key facts:

Attack vector: Remote, unauthenticated (no privileges required).
Impact: Full system compromise – attacker can run any command with the permissions of the user running Gemini CLI.
Affected components: The npm package @google/gemini-cli and the GitHub Action google-github-actions/run-gemini-cli.
Fix version: The vulnerability was patched in @google/gemini-cli@1.6.3 (check official advisory for exact).

2. Identifying Affected Components

2a. Check the npm package version

Run this command in your terminal (or on your CI server):

npm list @google/gemini-cli 2>/dev/null || gemini --version

If you see a version below 1.6.3, it is vulnerable. If the package is not installed locally, check package.json or node_modules.

2b. Check the GitHub Action usage

Look at your workflow YAML files (e.g., .github/workflows/*.yml). Search for google-github-actions/run-gemini-cli@. Example:

- uses: google-github-actions/run-gemini-cli@v1

If the version is v1.0.0 or earlier (or any version before the fix), it is vulnerable. The patched release is v1.1.0 (verify release notes).

3. Patching and Updating

3a. Update the npm package

Run:

npm install @google/gemini-cli@latest

Or, if globally installed:

npm install -g @google/gemini-cli@latest

Verify the new version:

gemini --version

3b. Update the GitHub Action

In your workflow file, change the uses line to:

- uses: google-github-actions/run-gemini-cli@v1.1.0

Or if you prefer major version pinning, use the patched major version (e.g., @v1 if v1.1.0 is latest within v1). Always verify the exact version from the GitHub Marketplace.

4. Hardening Configuration

Even after patching, adopt these best practices to prevent future injection attacks:

Avoid loading configuration from untrusted sources – Do not set environment variables like GEMINI_CONFIG_URL to external URLs unless you validate the content.
Use strict file permissions – Ensure the config file (.gemini/config.yml) is owned by the intended user and has permissions 600 or 644 as needed.
Pin action versions – Always pin GitHub Actions to a specific commit SHA or a verified release tag to avoid supply chain attacks.
Scan for misconfigurations – Regularly audit your CI/CD pipelines for insecure YAML or environment variable injection.

5. Verifying Security

After applying updates, run a quick sanity check:

Test locally: Run gemini --version and confirm it's the patched version.
Test CI: Trigger your workflow and check the logs for any warnings about deprecated or insecure configurations.
Scan with static analysis – Use tools like npm audit or snyk to detect any remaining vulnerabilities in your dependencies.

Example audit command:

npm audit --audit-level=critical

This will flag any high-severity issues.

Common Mistakes

Ignoring minor version bumps – The fix was rolled out as a patch version (1.6.3). Some teams skip patch updates, thinking only major/minor matter. Always apply security patches regardless of version bump.
Only updating locally but not in CI – Developers often update their local npm packages but forget to update the Docker images or build servers.
Using loose version ranges in GitHub Actions – Writing @v1 without specifying a patch may pull in a later vulnerable version if the tag is not updated correctly. Always pin to a specific version or SHA.
Assuming the vulnerability is limited to the CLI – The RCE could propagate to any system using Gemini, including production environments if the tool runs there.
Not monitoring security advisories – Subscribe to Google's security bulletins and npm/GitHub vulnerability feeds for Gemini CLI.

Summary

The Google Gemini CLI vulnerability (CVSS 10) demonstrates the danger of configuration injection in AI tools. By understanding how the flaw works, checking your versions, and applying the patch, you can protect your systems. Remember to also harden configurations and pin action versions. The steps outlined above—from identification to verification—will help you close this critical security gap and maintain a secure development environment.