AIKIDO-2026-11004
@google/gemini-cli is vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
100
Critical Risk
This Affects:
@google/gemini-cliTL;DR
Gemini CLI running in headless environments such as CI previously auto-trusted workspace folders and could load .gemini and .env configuration from untrusted repository content before explicit trust was granted. In --yolo mode, fine-grained tool allowlists could also be bypassed, allowing dangerous run_shell_command usage despite an intended restricted allowlist. This could lead to remote code execution when workflows process attacker-controlled pull requests or issues. Version 0.39.1 changes the trust model and tool allowlisting behavior for the stable npm package.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@google/gemini-cli is vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in versions 0.0.1 - 0.39.0.
How to fix this
Upgrade the @google/gemini-cli library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant