Google Fixes CVSS 10 Gemini CLI RCE and Cursor Flaws Enable Code Execution

Google has addressed a maximum severity security flaw in its Gemini CLI tooling — specifically the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow — that could have allowed attackers without any special privileges to execute arbitrary commands on host systems. The vulnerability earned a CVSS score of 10.0, the highest possible rating, reflecting both the ease of exploitation and the severity of its potential impact.

The Vulnerability

The flaw affected two components of Google's Gemini CLI ecosystem:

• @google/gemini-cli (npm) — The command-line interface package for interacting with Google's Gemini AI models
• google-github-actions/run-gemini-cli — The official GitHub Actions workflow for executing Gemini CLI commands within CI/CD pipelines

An unprivileged attacker who could influence inputs to these tools — for example by contributing to a repository that uses the affected GitHub Actions workflow — could have triggered arbitrary command execution on the runner or host system. In CI/CD contexts, this translates directly to the ability to exfiltrate secrets, modify build artifacts, tamper with deployment pipelines, or pivot to connected cloud environments.

Why CVSS 10.0 Matters

A CVSS 10.0 score is exceptionally rare and indicates a vulnerability that combines:

• No authentication required — exploitation requires no credentials or account access
• No user interaction — the attack can succeed without a victim clicking a link or performing any action
• Full impact across confidentiality, integrity, and availability — successful exploitation gives attackers complete control over the affected component

For tools integrated into automated CI/CD pipelines, these characteristics are particularly dangerous because pipelines often run with elevated cloud provider permissions and have access to production secrets, signing keys, and deployment credentials.

Cursor IDE Also Affected

The disclosure also noted related remote code execution flaws in Cursor, the AI-powered code editor. Cursor flaws enabling code execution represent a supply chain risk vector: an attacker who can exploit an IDE vulnerability may be able to compromise developer workstations, inject malicious code into projects, or steal credentials stored in development environments.

Impact on CI/CD Security

The Gemini CLI vulnerability exemplifies a growing category of CI/CD supply chain risks where AI-integrated tooling introduces new attack surfaces. GitHub Actions workflows are a particularly sensitive target because:

1. They often run with repository-scoped GITHUB_TOKEN permissions that can push code and modify releases
2. Many organizations inject cloud provider credentials (AWS, GCP, Azure) as Actions secrets
3. Workflow outputs can directly influence production deployments

Attackers who gain code execution within a GitHub Actions runner inherit whatever permissions the workflow was granted — potentially including the ability to push malicious commits, modify releases, or exfiltrate all secrets available to that workflow.

Mitigation Steps

Google has released patched versions of both the npm package and the GitHub Actions workflow. Affected organizations should:

1. Update @google/gemini-cli — Pin to the latest patched version in package.json and audit any usages in automated scripts
2. Update GitHub Actions workflow references — Replace any pinned references to the vulnerable google-github-actions/run-gemini-cli version with the patched release
3. Audit workflow permissions — Review Actions workflow permissions blocks and apply the principle of least privilege
4. Rotate exposed secrets — If the vulnerable Action ran in your pipelines before patching, treat any secrets accessible to that workflow as potentially compromised
5. Update Cursor — Ensure the Cursor IDE is updated to the latest version to address the separately disclosed RCE flaws

Broader Context

This disclosure continues a pattern of high-severity vulnerabilities emerging in AI developer tooling. As organizations rapidly integrate AI-powered CLIs, IDE extensions, and GitHub Actions into their development workflows, the attack surface expands into infrastructure that previously had no equivalent exposure. Security teams should treat AI tooling with the same scrutiny applied to any other dependency in the software supply chain — including regular updates, permission auditing, and runtime isolation.