Google patches coding flaw

Google patched a flaw in Gemini CLI after researchers showed it could be tricked into running hidden commands on a developer’s machine. (tracebit.com) (bleepingcomputer.com) Gemini CLI is Google’s open-source coding assistant for the terminal, where developers type commands in a text window and the tool reads project files to answer questions, edit code, and run actions. Google’s GitHub repository describes it as an “open-source AI agent” that brings Gemini directly into the terminal. (github.com 1) (github.com 2) The tool also loads instruction files called `GEMINI.md`, which act like project notes that get sent to the model with prompts. Google’s documentation says the CLI can pull those files from a user’s home directory, workspace folders, and directories a tool touches during a session. (github.com) Tracebit said that design let a poisoned README or context file smuggle instructions to the model, a classic prompt-injection attack. In its July 28, 2025 write-up, the firm said Gemini CLI combined “improper validation, prompt injection and misleading UX” in a way that could lead to silent command execution. (tracebit.com) (cyberscoop.com) In Tracebit’s demo, Gemini CLI asked for approval to run what looked like a harmless `.md` file, then sent credentials and other data to a remote server after the user approved it. CyberScoop reported that the listening server in the demo captured the tool exfiltrating user credentials. (cyberscoop.com) (tracebit.com) Tracebit found the issue on June 27, 2025, two days after Gemini CLI’s June 25 public release, and Google shipped a fix in version 0.1.14 on July 25, 2025. BleepingComputer and CSO Online both reported that Google classified the issue as a high-priority, high-severity fix. (bleepingcomputer.com) (csoonline.com) The patch did not land in a niche lab product. As of April 22, 2026, Google’s public GitHub page for Gemini CLI shows more than 100,000 stars and active stable, preview, and nightly release channels. (github.com 1) (github.com 2) (github.com 3) The case also fits a wider pattern around coding agents that can read files, call tools, and execute local commands. SecurityWeek reported this month that researchers found prompt-injection paths in Anthropic’s Claude Code, Google’s Gemini CLI, and GitHub Copilot agents by hiding instructions in comments and project files. (securityweek.com) What changed is not the basic attack idea but where the software sits. A browser chatbot can leak text; a coding agent inside a build pipeline or developer workstation can touch source code, secrets, package managers, and deployment steps. (github.com) (securityweek.com) Google fixed this bug months ago, but the disclosure left a clear record of how quickly a coding assistant can turn a text file into an execution path. The next test for vendors is whether their safeguards make risky actions obvious before a user hits approve. (tracebit.com) (csoonline.com)