Google's fix for critical Gemini CLI bug might break your CI/CD pipelines
Summary
Google has patched a critical CVSS 10.0 Remote Code Execution (RCE) vulnerability in the Gemini CLI that allowed attackers to execute code via malicious configuration files. The fix introduces stricter workspace trust requirements, which may break existing CI/CD pipelines and GitHub Actions that rely on automatic configuration loading.
Key Points
- The vulnerability is addressed in Gemini CLI versions 0.39.1 and 0.40.0-preview.3.
- The flaw allowed RCE through malicious environment variables located in the
.gemini/directory when the CLI is running in headless mode. - The
run-gemini-cliGitHub Action may break for users who do not pin a specific version, as the action defaults to the latest release. - The
--yolomode no longer bypasses fine-grained tool allowlists; the policy engine now evaluates these lists even when--yolois active. - The vulnerability enabled unprivileged access to secrets, credentials, and source code within the execution environment.
Technical Details
The vulnerability originated from an infrastructure-level issue in the Gemini CLI's headless mode, where the tool automatically assumed any active workspace folder was trusted. This allowed the tool to silently load configuration files and environment variables from the .gemini/ directory without user intervention. This behavior differed from the interactive mode, which requires users to explicitly trust a folder before workspace configurations are loaded.
The patch aligns the behavior of headless mode with interactive mode by requiring explicit trust mechanisms. Furthermore, the update modifies the functionality of the --yolo mode. In previous versions, --yolo allowed the CLI to bypass fine-grained tool allowlists and automatically approve agent actions. As of version 0.39.1, the Gemini CLI policy engine evaluates tool allowlisting even when running in --yolo mode, which may cause workflows that depend on unconstrained tool usage to fail silently or error out.
Impact / Why It Matters
Developers using the run-gemini-cli GitHub Action or automated pipelines must review their workflows to ensure they explicitly handle workspace trust and tool allowlists. Failure to update these configurations may result in broken CI/CD pipelines or continued exposure to supply-chain attack vectors.