Do Son 
A critical update has been issued for Gemini CLI (@google/gemini-cli) and the run-gemini-cli GitHub Action to address significant risks in how these tools handle untrusted environments.
With a CVSS score of 10, this update introduces a fundamental shift in the Gemini trust model, specifically targeting how the CLI interacts with workspace folders and tool allowlisting.
Previously, when Gemini CLI operated in “headless mode”—the non-interactive state used by automated CI/CD pipelines—it would automatically trust workspace folders to load configuration and environment variables.
While convenient, this posed a severe security risk for workflows dealing with untrusted content, such as reviewing user-submitted pull requests. An attacker could theoretically include a malicious .env file within a .gemini/ directory, leading to Remote Code Execution (RCE) via poisoned environment variables.
To solve this, the latest update aligns headless behavior with interactive mode: folders must now be explicitly trusted before any configuration files are processed.
The update also addresses a dangerous loophole in the CLI’s experimental –yolo mode.
Under –yolo, the CLI would ignore fine-grained tool allowlists, potentially allowing any command to run if run_shell_command was permitted.
In workflows triaging untrusted GitHub issues, this opened the door for prompt injection attacks to trigger unauthorized system commands.
As of version 0.39.1, the policy engine now enforces tool allowlisting even in yolo mode, ensuring that only specific, safe commands can be executed when processing untrusted inputs.
This impact is specifically limited to users running Gemini CLI in headless mode within automated pipelines. If your GitHub Actions rely on the old automatic trust behavior, they will likely fail to load workspace settings until updated.
To keep your development workflow running smoothly and securely, you must take one of two paths:
- For Trusted Inputs: If you are only processing data from trusted collaborators, set GEMINI_TRUST_WORKSPACE: ‘true’ in your workflow file.
- For Untrusted Inputs: If you are triaging public issues or PRs, you must review the official hardening guidance and manually configure your trust settings and allowlists.
The necessary security mitigations are available in Gemini CLI version 0.39.1 and 0.40.0-preview.3. While the run-gemini-cli GitHub Action typically runs the latest version by default, developers who have pinned a specific version are urged to upgrade immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
