Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

Source: The Hacker News

Overview

Google has addressed a maximum‑severity security flaw in Gemini CLI – the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow. The vulnerability could have allowed attackers to execute arbitrary commands on host systems.

Vulnerability Details

The issue allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration. By doing so, the attacker could achieve remote code execution (RCE) on affected systems.

Impact

• CVSS Score: 10 (Critical)
• Affected Components:
  • @google/gemini-cli npm package
  • google-github-actions/run-gemini-cli GitHub Actions workflow
• Potential Consequences: Arbitrary command execution, full system compromise, and unauthorized access to CI/CD pipelines.

Mitigation

• Update Packages: Upgrade to the latest versions of @google/gemini-cli and google-github-actions/run-gemini-cli where the fix has been applied.
• Review Configurations: Ensure that only trusted configuration files are used in Gemini CLI workflows.
• Monitor Dependencies: Regularly audit npm dependencies and GitHub Actions for known vulnerabilities.

References

• Google Security Advisory (link to official advisory, if available)
• CVE details (link to CVE entry, if assigned)

For further information, consult the official Google security announcements and update your CI/CD pipelines accordingly.