Command Injection Affecting @google/gemini-cli package, versions <0.39.1>=0.40.0-preview.2 <0.40.0-preview.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-GOOGLEGEMINICLI-16301693
- published27 Apr 2026
- disclosed24 Apr 2026
- creditDan Lisichkin, Elad Meged
Introduced: 24 Apr 2026
New CVE NOT AVAILABLE CWE-77 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @google/gemini-cli to version 0.39.1, 0.40.0-preview.3 or higher.
Overview
@google/gemini-cli is a Gemini CLI
Affected versions of this package are vulnerable to Command Injection via the processing of untrusted workspace folders in headless mode and the handling of tool allowlisting under --yolo mode. An attacker can execute arbitrary code by submitting malicious content or environment variables in untrusted directories or by exploiting insufficiently restricted shell command execution.