Gemini MCP Tool: Path Traversal and Command Injection via Unsafe Prompt Parsing

Vulnerability Description

The vulnerability resides in the Gemini MCP Tool's CLI @file parser, which processes user-supplied prompts without proper input validation or path canonicalization. The parser interprets @-prefixed tokens as file references (e.g., @/etc/passwd, @~/.ssh/id_rsa) and reads their contents into the prompt context. Additionally, on Windows platforms, the tool wraps arguments with double-quotes to invoke shell behavior via cmd.exe, but fails to properly escape metacharacters, allowing breakout into arbitrary OS commands. This is a path-traversal (CWE-22) and OS command injection (CWE-78) vulnerability chain.

PoC Significance

The proof-of-concept demonstrates that untrusted prompt input—potentially supplied by users, third-party integrations, or adversaries controlling stdin—reaches the @file parser without sanitization. The reliability is high because the parser operates by design on every prompt. Preconditions are minimal: an attacker needs the ability to supply input to the CLI (local access, API call, prompt injection via parent application). The PoC proves both capabilities: (1) arbitrary file reads via traversal sequences (@../../secret), and (2) shell metacharacter breakout on Windows (cmd.exe unquoted arguments).

Detection Guidance

Log Indicators:

• CLI invocations or logs containing @/, @~, or @.. patterns in user input
• Unexpected file access to /etc/passwd, ~/.ssh/, or sensitive directories correlated with tool execution
• Windows Event Log (Security): suspicious child process creation from cmd.exe spawned by the tool, or process command lines with unusual escaping patterns
• Audit/stderr logs showing file read operations outside the intended working directory

Detection Method:

• Monitor for @file syntax in prompts; flag traversal sequences (../, absolute paths, home directory expansion)
• Correlate tool execution timestamps with file access logs showing sensitive file reads
• On Windows, alert on cmd.exe children with metacharacter-heavy arguments (;, |, &, >)

Mitigation Steps

1. Immediate Patch: Upgrade to gemini-mcp-tool ≥1.1.6
2. Pre-Patch Workarounds:
   • Restrict CLI input to programmatic, sanitized prompts only (disable user-supplied input)
   • Run the tool in a sandboxed environment or container with minimal filesystem permissions
   • Use a firewall or apparmor/selinux profile to restrict file access to the working directory only
3. Post-Patch Verification:
   • Verify the fix includes assertSafeFileReferences() validation
   • Test that @file references outside the working directory are rejected
   • On Windows, confirm cmd.exe arguments are properly quoted and metacharacters are escaped
4. Hardening: Disable @file parsing entirely if not required; consider a allowlist of safe file paths

Risk Assessment

Likelihood of Exploitation: High. The vulnerability is trivial to exploit (crafting a malicious prompt requires minimal effort), requires no authentication, and is likely triggered by workflows that accept user input. Threat actors targeting local data exfiltration or lateral movement in shared CI/CD environments will prioritize this.

Threat Actor Interest: Moderate to high for nation-states and APT groups conducting supply-chain attacks or targeting developers. Lower priority for script-kiddies unless integrated into a larger attack chain. The exfiltration of SSH keys or secrets makes this immediately valuable for post-exploitation.

Real-World Risk: Systems running untrusted prompts (e.g., LLM inference pipelines, community chatbot backends, or CI/CD systems accepting external input) face critical risk. Isolated developer machines are lower risk unless part of a social engineering campaign.