Google Gemini CLI's 10.0 CVSS Flaw: What Broke and How to Fix It

What Happened

Security researchers at Novee Security discovered a critical remote code execution vulnerability in Google's Gemini CLI tool, rated with a CVSS score of 10.0. This flaw affected versions before 0.39.1 and 0.40.0-preview.3. The vulnerability arose from improper handling of workspace trust in CI/CD environments. When integrated into pipelines, the tool trusted the workspace context without validating the safety of commands or tools it executed. An attacker could inject malicious code into a repository or CI/CD configuration to execute arbitrary commands on the build server.

Google released patches that enforce stricter controls, requiring explicit allowlisting of tools and commands before execution.

Timeline

The vulnerability was disclosed by Novee Security through responsible channels. Google released patches in versions 0.39.1 and 0.40.0-preview.3. The issue was classified under several Common Weakness Enumeration categories: CWE-20 (Improper Input Validation), CWE-77 (Command Injection), CWE-78 (OS Command Injection), and CWE-200 (Exposure of Sensitive Information).

Which Controls Failed or Were Missing

1. Input Validation Failure

The Gemini CLI accepted workspace configurations and tool invocations without validating their source or content, allowing arbitrary command execution through malicious commits or compromised dependencies.

2. Insufficient Isolation

The tool ran with the same privilege level as the CI/CD pipeline, lacking sandboxing or privilege separation. This allowed attackers to inherit full pipeline permissions, including access to secrets and production systems.

3. Implicit Trust Model

The tool assumed code in the workspace was safe to execute, a model that fails in environments where dependencies pull code from external sources, and CI/CD pipelines run on commits from multiple contributors.

4. Missing Tool Allowlisting

Before the patch, there was no mechanism to restrict which tools or commands the CLI could invoke, allowing execution of any valid command string.

What the Relevant Standards Require

PCI DSS v4.0.1 Requirement 6.2.4

Organizations must address coding vulnerabilities during software development, including improper input validation and command injection. Development tools must validate all inputs before processing them. This vulnerability would constitute a compliance failure if your CI/CD pipeline handles cardholder data.

OWASP ASVS v4.0.3 Section 5.2

Verification requirement 5.2.8 emphasizes sanitizing user input to protect against injection attacks. The Gemini CLI's failure to sanitize configurations before executing commands violates these requirements.

NIST 800-53 Rev 5 Control SI-10

Information Input Validation requires applications to check the validity of inputs. The Gemini CLI failed to perform these checks on workspace tool configurations.

ISO/IEC 27001:2022 Control 8.3

Security must be built into applications throughout the development lifecycle. Integrating third-party tools into your CI/CD pipeline impacts your compliance posture.

Lessons and Action Items for Your Team

Immediate Actions

1. Update the Gemini CLI now. If you're running versions before 0.39.1 or 0.40.0-preview.3, update immediately.

2. Audit your CI/CD tool inventory. Document every CLI tool, plugin, and integration in your pipelines, noting their current version, command execution based on workspace configuration, permissions, and last security review.

3. Review pipeline secrets exposure. Assume exploitation occurred. Rotate credentials for any systems your CI/CD pipeline can access.

Architectural Changes

4. Implement tool allowlisting. Create an approved list of commands and tools for each pipeline stage. Reject execution attempts for anything not on the list.

5. Separate privilege levels. Use separate service accounts with minimum required privileges for each pipeline stage to prevent attackers from gaining deployment access if a build tool is compromised.

6. Add workspace validation. Validate workspace configurations against known-good hashes or require signed commits before executing any pipeline.

Process Improvements

7. Establish a tool vetting process. Require security reviews, documentation, isolated testing, and approval from DevOps and security teams before adding new tools.

8. Monitor for unusual execution patterns. Log all command executions and alert on commands not explicitly defined in your pipeline configuration.

9. Subscribe to security advisories. Monitor where vendors publish security updates to prevent exploitation.

The Gemini CLI vulnerability highlights the need to re-evaluate CI/CD pipeline security. Your team must verify trust explicitly, not assume it implicitly.