Overview

• Tracebit researchers uncovered the flaw days after its June 25 launch and reported it to Google on June 27.
• The vulnerability exploited how Gemini CLI parsed context files like README.md and GEMINI.md, allowing prompt injection and allow-list bypass.
• In a proof-of-concept attack, Tracebit combined a benign Python script with a poisoned README.md to trigger silent execution and exfiltration of environment variables.
• Google shipped Gemini CLI version 0.1.14 on July 25, closing the allow-list bypass and hardening context-file validation.
• Users should upgrade to version 0.1.14 and restrict Gemini CLI’s use to trusted codebases or secure sandbox environments, since other agents like OpenAI Codex and Anthropic Claude were unaffected.