Despite already issuing fixes for a maximum severity vulnerability in its Gemini CLI tool, Google has warned that organizations leveraging the command-line AI tool through GitHub Actions, or in headless mode, may have to perform additional actions to avoid breaking their CI/CD workflows, The Register reports.Such a flaw, which was discovered independently by Novee researcher Elad Meged and Pillar Security's Dan Lisichkin, has resulted from the faulty workspace folder trust handling of Gemini CLI's headless mode, according to Google. Google said that while Gemini CLI versions 0.39.1 and 0.40.0-preview.3 already addressed the issue, the run-gemini-cli GitHub Action's defaulting to the latest release may prevent the loading of GitHub Actions and other automated pipelines dependent on older automatic trust behavior. Workflows reliant on Gemini CLI's --yolo mode may also be impacted by the update."In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under --yolo mode As a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task," Google added.
AI/ML, Vulnerability Management, Patch/Configuration Management
Google: Addressing max severity Gemini CLI bug may require further action
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds