Google Fixes CVSS 10 Gemini CLI RCE and Cursor Flaws

Google Patches CVSS 10 RCE Flaws in Gemini CLI and Cursor

Google has pushed fixes for critical remote code execution vulnerabilities in Gemini CLI and the Cursor AI coding environment, with at least one flaw rated CVSS 10. That is the maximum score. These are not theoretical risks sitting in a bug tracker. These vulnerabilities allow an attacker to execute arbitrary code in CI/CD pipelines, meaning a compromised build system can run whatever the attacker wants under your project's permissions.

The Gemini CLI RCE flaw is particularly dangerous because developer tools increasingly run in automated pipelines with elevated credentials. When the tool processing your prompts or code suggestions can be weaponized to execute arbitrary commands, the blast radius extends well beyond a single developer's machine.

How the Gemini CLI and Cursor Code Execution Vulnerabilities Work

Both flaws follow a similar exploitation pattern. Malicious input, either through crafted project files, manipulated prompt context, or poisoned dependencies, triggers unsanitized command execution within the tool's runtime. Because Gemini CLI and Cursor operate closely with local file systems and shell environments, the attack surface is wider than a typical web application vulnerability.

In CI environments, this gets worse. Pipelines often clone external repos, process untrusted code, and run AI-assisted tooling without sandboxing. An attacker who can influence any input to Gemini CLI during a build step effectively has code execution on your build agent. From there, secrets extraction, supply chain poisoning, and lateral movement are all on the table.

Cursor's flaw relates to how the editor handles certain project configurations and external tool integrations. An attacker with the ability to plant a malicious config file in a shared repository, or serve one through a dependency, can trigger execution when a developer opens the project.

What Developers and DevOps Teams Are Actually Exposed To

The immediate risk is to any team running Gemini CLI in automated pipelines or using Cursor as a standard part of their development workflow. Shared build environments are the highest priority concern. A single exploited CI runner with access to production secrets, container registries, or cloud provider credentials can cascade into a full infrastructure breach.

Developers working on open source projects face additional exposure. Pull requests from external contributors can contain crafted files that trigger execution when a maintainer reviews them locally in Cursor or processes them through an AI-assisted pipeline tool.

How to Remediate These Vulnerabilities Now

Update immediately. Google has released patched versions of Gemini CLI. Check the official release notes for the exact version numbers and apply them across all environments, including CI base images.

For Cursor, update to the latest version and audit any shared project configuration files (.cursor, workspace settings) for unexpected entries. Treat those files the same way you treat Dockerfiles or CI configs, they are executable attack surface.

Additional steps worth taking:

• Sandbox AI tooling in CI pipelines. Run Gemini CLI in a container with minimal permissions and no access to production credentials.
• Audit which build steps invoke AI tools and whether those steps have access to secrets.
• Enable dependency scanning on any repo that feeds into AI-assisted pipelines. You can run a free scan on your web application at VibeWShield to catch related exposure points.
• Review your CI/CD security hardening checklist for additional controls.

Can this vulnerability be exploited remotely without local access? Yes, if an attacker can influence inputs to Gemini CLI or Cursor through repository files, dependencies, or prompt injection, they do not need direct local access. CI environments are the highest risk target.

Do I need to rotate secrets after patching? If Gemini CLI or Cursor ran in any environment with access to secrets before patching, treat those secrets as compromised and rotate them. Assume execution may have occurred.

Does sandboxing CI pipelines fully mitigate this? Sandboxing significantly reduces the blast radius but does not eliminate the risk. Combine it with least-privilege credentials, secret scanning, and keeping all AI tooling updated.

Scan your application for exposed CI/CD endpoints and related vulnerabilities at VibeWShield.