Developers beware
AI tools are all about speeding up and automating tedious and time consuming tasks. However, they also do the same thing for prompt injection attackers. The exploit documented by Tracebit involves assumptions, but not unreasonable ones, that an attacker could exploit under real-world conditions. Meanwhile, the hunt is already underway to find prompt injection flaws across a wide range of contexts and tools.
In short, while Tracebit’s flaw is the first discovered in Gemini CLI, it is probably not the last. The flaws, classified by Google as a high severity (V1) and priority fix (P1), were patched in Gemini CLI v0.1.14 released on July 25, which is why we’re hearing about it now.
Beyond updating to the patched version of Gemini CLI, the best advice is always to run tools in sandbox mode to isolate them from the host system. Google’s response to the disclosure, sent to Tracebit, underlined the latter point:
