Overview
- Version 0.1.14, released July 25, flags and warns users before executing data-transfer commands and closes semicolon-based bypasses.
- Tracebit researchers uncovered the flaw on June 27, finding that Gemini CLI lacked proper validation of context files like README.md and GEMINI.md.
- Attackers could embed semicolon-separated payloads in allow-listed commands to run unauthorized scripts and quietly exfiltrate environment variables.
- Malicious instructions could be concealed through whitespace manipulation in AI output, leaving developers unaware of hidden code execution.
- Testing shows OpenAI Codex and Anthropic Claude remain immune to this exploit thanks to more robust allow-list mechanisms.