Gemini CLI Headless-Mode RCE (CVSS 10) — Workspace Auto-Trust Lets Untrusted PRs Pop CI Hosts, Patched in 0.39.1

What is it?

A maximum-severity (CVSS 10.0) remote code execution flaw in @google/gemini-cli, the official Google Gemini CLI agent and the wrapping google-github-actions/run-gemini-cli GitHub Action. The fix shipped in versions 0.39.1 and 0.40.0-preview.3, with the corresponding action update at 0.1.22. The bug was reported by Novee Security and tracked as GHSA-wpqr-6v78-jr5g.

How does it work?

When Gemini CLI ran in headless mode (the typical setup for CI workflows that triage user-submitted pull requests), it auto-trusted the workspace folder and loaded configuration plus environment variables from a .gemini/ directory inside that workspace. An attacker could include a malicious .gemini/ in their PR; the config and env vars then triggered command execution on the host before the agent's sandbox initialized. A separate weakness bypassed tool allowlisting in --yolo mode. The patched versions require folders to be explicitly trusted before any config files are read.

Why does it matter?

Anyone running Gemini CLI in CI to review external PRs (a common 'AI bot reviewer' setup) was exposing whatever secrets, credentials, and source the workflow could reach to unprivileged outsiders. It also previews the broader CI/CD attack surface coding agents are introducing — workspace-trust assumptions made for an interactive editor break when the same code runs on auto in a build runner.

Who is it for?

Teams running Gemini CLI in CI / GitHub Actions, especially on pull-request workflows

Try it

npm i -g @google/gemini-cli@0.39.1 — and bump the action to google-github-actions/run-gemini-cli@v0.1.22

Tags

• security
• gemini-cli
• rce
• ci-cd
• supply-chain
• workspace-trust
• cvss-10
• github-actions
• agent-security