GHSA-4h5r-5jm8-jxjmCriticalCVSS 9.8
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
🔗 CVE IDs covered (1)
📋 Description
Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files (@/etc/passwd, @~/.ssh/id_rsa, @../../secret). On Windows, unquoted cmd.exe metacharacters could break out into OS command injection.
Fix (1.1.6): removed the broken shell:false double-quote wrapping; added assertSafeFileReferences() to contain @file refs to the working directory; hardened Windows cmd.exe argument quoting.
🎯 Affected products1
- npm/gemini-mcp-tool:>= 1.1.2, < 1.1.6