7 Critical Facts About Google's Gemini CLI Patch: From CVSS 10 to Cursor Flaws

In a recent security advisory, Google disclosed a critical vulnerability in its Gemini CLI tool—the @google/gemini-cli npm package and the associated google-github-actions/run-gemini-cli GitHub Actions workflow. This flaw, rated CVSS 10, could have allowed attackers to execute arbitrary commands on host systems, potentially leading to data breaches, system compromise, and supply-chain attacks. This listicle breaks down the seven most important things you need to know about this vulnerability, its impact, and how Google fixed it—along with related dangers from Cursor flaws that enable similar code execution.

1. What Is Gemini CLI and Why It Matters

Gemini is Google’s generative AI model, and the Gemini CLI (Command Line Interface) provides developers with a convenient way to interact with the model directly from their terminal. It is distributed as the npm package @google/gemini-cli and also integrated into GitHub Actions via the google-github-actions/run-gemini-cli workflow. This tool is often used in continuous integration/continuous deployment (CI/CD) pipelines to automate tasks such as code generation, analysis, and testing. Because it runs with the privileges of the user or service account executing it, any vulnerability in the CLI can have severe consequences—especially in automated environments where the tool may have broad access to secrets, source code, and other sensitive data. Understanding the role of Gemini CLI is crucial to grasping the severity of the flaw.

2. The CVSS 10 Vulnerability: How It Was Discovered

Security researchers identified a critical flaw in the Gemini CLI that earned a perfect 10.0 on the Common Vulnerability Scoring System (CVSS). The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration. In other words, an attacker could inject arbitrary configuration settings into the tool, leading to remote code execution (RCE) on the host machine. The discovery was made during an audit of the npm package and GitHub Actions workflow, highlighting the risks inherent in third-party dependencies and CI/CD integrations. The flaw was reported to Google through their vulnerability disclosure program, and the company acted swiftly to develop a patch.

3. Attack Vector: How an Attacker Could Exploit This

To understand the attack, imagine a developer running the Gemini CLI in a pipeline. The tool normally loads configuration from a trusted source. However, the vulnerability enabled an attacker—someone without any prior access to the system—to serve malicious configuration files instead. This could be achieved by manipulating network traffic, leveraging a man-in-the-middle attack, or exploiting a misconfigured environment variable. Once the malicious configuration is loaded, the attacker could execute arbitrary shell commands on the host. For example, they could exfiltrate environment secrets, install malware, or pivot to other internal systems. The attack required no authentication and no user interaction, making it extremely dangerous in automated CI workflows.

4. Impact: Remote Code Execution and Beyond

The most immediate impact of this vulnerability is remote code execution (RCE) with the privileges of the Gemini CLI process. In a typical CI/CD pipeline, the tool runs with elevated permissions, often including access to deployment credentials, database passwords, and API keys. An attacker achieving RCE could steal these secrets, modify build artifacts, or even compromise the entire software supply chain. Moreover, because the flaw exists in both the npm package and the GitHub Action, any project using either is at risk. The CVSS 10 rating underscores the worst-case scenario: complete loss of confidentiality, integrity, and availability of the affected system. Organizations using Gemini CLI in production or development should consider this a critical incident.

5. Google’s Fix: Patching the Package and Workflow

Google promptly released fixes for the Gemini CLI. The patch involved hardening the configuration loading mechanism so that external, untrusted sources cannot override legitimate settings. Specifically, the tool now validates the origin of any configuration data and rejects requests that don’t come from authenticated, authorized sources. The npm package @google/gemini-cli was updated to version 1.1.1 (or higher), and the GitHub Actions workflow was updated accordingly. Users are strongly advised to update immediately—using npm update @google/gemini-cli or their package manager—and to review their CI pipeline configurations to ensure they’re not inadvertently exposing the tool to untrusted inputs. Google also recommended enabling logging and monitoring for any suspicious activity in environments where Gemini CLI is used.

6. Cursor Flaws: A Parallel Danger for Code Execution

Separate from the Gemini CLI vulnerability, researchers also identified “Cursor flaws” that enable code execution in similar contexts. Cursor is an AI-assisted code editor that integrates with various language models. The flaws in Cursor allowed attackers to inject malicious code through prompt injection or misconfigured plugins, leading to arbitrary code execution on the user’s machine. While not directly related to the Gemini CLI issue, both vulnerabilities share a common theme: AI tools that accept external input without proper sanitization can become vectors for RCE. The Cursor flaws were also patched in recent updates. This highlights a broader industry challenge: as AI tools become more integrated into developer workflows, securing their input channels is paramount.

7. Best Practices for Secure CLI Usage in AI-Powered Tools

To protect against similar vulnerabilities, organizations should adopt a set of best practices. First, always keep CLI tools and dependencies updated to the latest versions—outdated packages are a common entry point for attackers. Second, run AI tools with the least privilege necessary; avoid giving them access to production secrets or sensitive APIs unless absolutely required. Third, implement input validation and integrity checks for any configuration files or external data sources. Fourth, use network security controls (e.g., firewalls, proxies) to prevent man-in-the-middle attacks. Finally, conduct regular security audits of CI/CD pipelines and third-party integrations. By following these guidelines, you can reduce the risk of RCE and other code execution threats.

Conclusion

The CVSS 10 vulnerability in Google’s Gemini CLI and the concurrent Cursor flaws serve as stark reminders that even trusted AI development tools can harbor critical security weaknesses. The good news is that Google responded quickly with a patch, and similar flaws in Cursor have been addressed. However, the onus is on developers and organizations to stay vigilant—update software promptly, apply least privilege principles, and monitor for anomalies. As AI tools become more embedded in our workflows, securing the input and execution environment must be a top priority to prevent code execution attacks that could compromise entire systems.