Gemini CLI injection flaws: are AI dev tools ready for real use?

TL;DR: Command injection and prompt injection flaws in Google’s Gemini CLI showed that AI development tools can turn model interaction into system-level compromise; the issues were fixed through Google’s Vulnerability Rewards Program, according to Cyera. Access review processes assume access persists long enough to be reviewed, but AI tools can translate prompt content into privileged execution in a single session.

NHIMG editorial — based on content published by Cyera: From Prompt to Exploit, which discloses command and prompt injection vulnerabilities in Gemini CLI

By the numbers:

• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern AI development tools that can execute shell commands?

A: Security teams should govern AI development tools as privileged execution surfaces, not as simple interfaces.

Q: Why do prompt injection flaws become more dangerous when a CLI can access local secrets?

A: Prompt injection becomes materially more dangerous when the tool can act with inherited local privileges.

Q: What do teams get wrong about command injection in AI tooling?

A: Teams often assume command injection is only a code-quality issue inside the application.

Practitioner guidance

• Separate prompt handling from command execution Run AI developer tools in constrained environments where model output cannot directly reach a shell.
• Remove shell interpolation from installation and wrapper logic Rewrite CLI operations to call processes with argument arrays rather than constructed strings.
• Treat AI dev tools as privileged NHI workloads Apply least privilege to the process, workstation, and surrounding automation.

What's in the full article

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• The exact code paths behind the VS Code extension installation command injection finding.
• The prompt-injection bypass logic and validation gap that allowed backtick substitution.
• The LLM-augmented research workflow, including Semgrep triage and manual validation steps.
• The remediation notes and platform-specific impact details for Linux, macOS, and Windows.

👉 Read Cyera's research on Gemini CLI command and prompt injection →

Gemini CLI injection flaws: are AI dev tools ready for real use?

Explore further

View Full Forum →  |  NHI Foundation Course →