The behavior is now fixed: Google has addressed the issue by removing implicit workspace trust in headless environments and enforcing stricter tool controls, effectively changing how Gemini CLI behaves in CI/CD pipelines.The patched versions (0.39.1 and 0.40.0-preview.3) now require explicit trust decisions before loading workspace configurations, aligning non-interactive execution with the same safeguards expected in interactive use.Additionally, the fix closed a critical gap in “yolo” mode by ensuring that tool allowlisting is actually enforced, preventing loosely scoped permissions from turning into unrestricted command execution.Previously, allowlisting could be bypassed, letting CLI run commands outside the intended restrictions.Google has also brought in a broader ecosystem change. The run-gemini-cli GitHub Action (patched in v0.1.22) now automatically pulls and executes the latest version of the CLI. Workflows that pin a specific gemni-cli-version are advised to upgrade to a patched release and review their existing Gemini CLI configurations to ensure they don’t rely on unsafe defaults.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4165470/max-severity-rce-flaw-found-in-google-gemini-cli.html
