Gemini CLI Workspace Trust Bypass: RCE via Malicious Environment Configuration in CI/CD
Gemini CLI automatically trusted workspace folders in headless/CI mode without validation, allowing malicious `.gemini/` configuration files to execute arbitrary code via environment variable injection. The `--yolo` flag further bypassed tool allowlisting controls.
CVE References
Affected
Vulnerability Description
Gemini CLI contained a workspace trust bypass vulnerability affecting headless execution environments (CI/CD pipelines, GitHub Actions). The root cause: in non-interactive mode, the application automatically trusted local workspace folders and loaded configuration from .gemini/ directories without explicit user consent or validation. This differs dangerously from interactive mode behavior. An attacker could inject malicious environment variables (e.g., via .env files in compromised repositories) that execute arbitrary commands during tool initialization, leading to remote code execution with the CI runner's privileges.
Proof-of-Concept Significance
This disclosure demonstrates a supply-chain attack vector particularly dangerous in open-source workflows: Pull Request CI runners process untrusted code in headless mode. A malicious contributor could commit .gemini/ configuration with crafted environment variables into their PR branch. Since Gemini CLI auto-trusts the workspace in CI, the malicious configuration loads and executes, compromising the CI environment, secrets, and downstream artifacts. The --yolo flag (likely "you only live once" – a no-safety-checks mode) further weakened tool allowlisting, removing secondary controls that could have mitigated exploitation. This is reliable and requires only committing files to a repository.
Detection Guidance
Log Indicators:
- Gemini CLI execution without explicit
--trustflags in headless environments - Unusual environment variable modifications originating from
.gemini/or.envfiles in workspace roots - Unexpected process spawning from Gemini CLI wrapper processes in CI logs
- Tool whitelist bypass attempts or
--yoloflag usage in automation logs
Monitor for: File writes to .gemini/ directories in untrusted CI jobs, environment variable assignments containing shell metacharacters or command substitution patterns in config files.
Mitigation Steps
- Immediate: Update
@google/gemini-cliandrun-gemini-cliGitHub Action to patched versions requiring explicit--trustor equivalent safe configuration - CI/CD Workflows: Add explicit workspace trust configuration steps before Gemini CLI execution; audit existing workflows for automatic trust assumptions
- Repository Security: Implement branch protection requiring approval for
.gemini/or.envfile changes in critical repositories - Environment Isolation: Run Gemini CLI in CI with minimal secrets; use OIDC token exchange over static credentials
- Disable
--yolo: Remove usage of unsafe execution modes; require explicit tool allowlists in production automations
Risk Assessment
Likelihood of Wild Exploitation: High. This vulnerability directly impacts open-source projects accepting community PRs. Threat actors routinely target CI/CD as a pivot point for supply-chain compromise. The low barrier to entry (commit malicious config files) makes this attractive for widespread campaigns. Organizational Impact: Critical if Gemini CLI processes untrusted code in shared runners (GitHub Actions, GitLab CI). Patching Priority: Urgent — workflows should update and audit configuration before accepting external contributions.
Sources