Overview

• Version 0.1.14, released July 25, flags and warns users before executing data-transfer commands and closes semicolon-based bypasses.
• Tracebit researchers uncovered the flaw on June 27, finding that Gemini CLI lacked proper validation of context files like README.md and GEMINI.md.
• Attackers could embed semicolon-separated payloads in allow-listed commands to run unauthorized scripts and quietly exfiltrate environment variables.
• Malicious instructions could be concealed through whitespace manipulation in AI output, leaving developers unaware of hidden code execution.
• Testing shows OpenAI Codex and Anthropic Claude remain immune to this exploit thanks to more robust allow-list mechanisms.