Google Patches Perfect-Score Vulnerability in Gemini CLI, Sounding Alarm on AI Coding Tool Security

Introduction: A Perfect CVSS Score Vulnerability Shakes the AI Development Community

Google recently issued an emergency patch for an extremely critical security vulnerability in its open-source AI coding tool Gemini CLI. The vulnerability received a CVSS (Common Vulnerability Scoring System) score of 10 — the highest possible rating in the security scoring framework. At the same time, Cursor, another widely popular AI coding assistant, was also found to contain security flaws that could be exploited to execute malicious code. This series of events has thrust the security of AI development tools into the spotlight.

Vulnerability Details: Attackers Could Remotely Execute Arbitrary Commands

The vulnerability involves two key components under Google's umbrella: the npm package @google/gemini-cli and the GitHub Actions workflow google-github-actions/run-gemini-cli.

According to security researchers, the core issue lies in the fact that an unprivileged external attacker could force their malicious content to be loaded as Gemini's configuration file. This means that without any authentication or privilege escalation, an attacker could execute arbitrary commands on the target host system through carefully crafted malicious configurations, achieving remote code execution (RCE).

This vulnerability is particularly dangerous for development teams using Gemini CLI in their continuous integration/continuous deployment (CI/CD) pipelines. Attackers could trigger malicious command execution by Gemini CLI in CI environments through methods such as submitting Pull Requests containing malicious content to open-source projects, thereby stealing secrets, injecting backdoor code, or even completely taking over the build environment.

A CVSS score of 10 indicates that the vulnerability possesses the following characteristics: no user interaction required, no authentication needed, remotely exploitable, and capable of fully compromising confidentiality, integrity, and availability.

Cursor Also Affected: AI Coding Tool Security Issues Are Not Isolated

Notably, this is not an isolated incident. Around the same timeframe, Cursor, an AI coding tool favored by many developers, was also found to have exploitable code execution security flaws. This indicates that security issues in AI coding tools are becoming a systemic risk.

Currently, an increasing number of developers and enterprises are deeply integrating AI coding assistants into their development workflows. From code completion to automated builds, AI tools are progressively gaining broad access to codebases and runtime environments. However, this deep integration also means that when AI tools themselves contain security vulnerabilities, the resulting damage far exceeds that of traditional software defects.

Security Analysis: Emerging Threats Facing the AI Toolchain

This incident reveals several core security challenges facing AI development tools:

1. Expanding Configuration Injection Attack Surface: AI tools typically need to read multi-layered configurations (system-level, project-level, user-level), and attackers can achieve privilege escalation by poisoning low-privilege configuration sources.

2. CI/CD Environments as High-Value Targets: AI tools running in automated pipelines have access to sensitive resources such as secret keys and deployment permissions. A breach in this context could have devastating consequences.

3. Heightened Supply Chain Attack Risk: AI tools distributed as npm packages are inherently exposed to supply chain attack threats, where malicious dependency injection could affect tens of thousands of downstream projects.

4. Intersection of Prompt Injection and Configuration Injection: The unique "prompt-and-execute" model of AI tools exposes them to attack vectors that do not exist in traditional software. Attackers can control AI behavior by manipulating its input context.

Recommended Actions

In response to this vulnerability, developers and security teams are advised to take the following immediate steps:

• Update Immediately: Upgrade @google/gemini-cli and related GitHub Actions to the latest patched versions
• Audit CI Configurations: Review permission settings for all AI tools in CI/CD pipelines and follow the principle of least privilege
• Enable Dependency Locking: Use lockfiles to pin dependency versions and prevent automatic pulling of compromised new releases
• Monitor for Anomalous Behavior: Implement logging and anomaly detection for command execution by AI tools in CI environments

Outlook: AI Tool Security Demands Industry-Wide Attention

As adoption rates of AI coding tools like Gemini CLI, Cursor, and GitHub Copilot continue to climb among developers worldwide, the security of these tools is no longer a peripheral concern — it is a core issue that affects the entire software supply chain.

Google's swift response and patch deserve recognition, but the very emergence of a perfect CVSS score vulnerability also demonstrates that AI tools still have significant room for improvement in security design. Going forward, AI development tool vendors need to elevate security to a priority equal to feature innovation and establish more robust security audit mechanisms and vulnerability response processes.

For the industry as a whole, this incident serves as a timely wake-up call: while embracing AI to boost development efficiency, we must never overlook the security risks that AI tools themselves may introduce.