Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

The Gemini CLI vulnerability exposed a dangerous shortcut in CI pipelines: by automatically trusting the current workspace, the tool could load a malicious configuration file and execute commands on the host system. Attackers targeting pull‑request workflows could inject code without triggering any sandbox, turning continuous integration into a supply‑chain entry point. Google’s remediation—mandating explicit trust flags and reinforcing allow‑list checks in --yolo mode—forces teams to treat CI inputs as untrusted by default, a best practice that aligns with zero‑trust principles.

Cursor’s AI‑driven IDE illustrates a different attack surface. The prompt‑injection flaw leveraged Git’s native hook mechanism, allowing a malicious bare repository to run code when the AI agent performed a checkout operation. Coupled with an extension‑level access‑control weakness that exposed locally stored API keys, the bugs could lead to full system compromise and credential theft. These issues reveal how AI features that automate developer actions can unintentionally amplify traditional software supply‑chain risks, especially when they interact with version‑control systems without strict sandboxing.

Together, the Gemini and Cursor incidents signal a broader shift: AI‑enhanced development tools are becoming high‑value targets for attackers seeking to infiltrate build pipelines and developer workstations. Organizations should audit third‑party AI utilities, enforce explicit trust boundaries, and apply least‑privilege policies to extensions and plugins. Continuous monitoring, automated dependency scanning, and regular security reviews of AI‑generated code are essential to mitigate the emerging threat landscape and preserve the integrity of modern software delivery chains.