CRITICAL 9.8

GHSA-4h5r-5jm8-jxjm

gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)

Details

Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files (@/etc/passwd, @~/.ssh/id_rsa, @../../secret). On Windows, unquoted cmd.exe metacharacters could break out into OS command injection.

Fix (1.1.6): removed the broken shell:false double-quote wrapping; added assertSafeFileReferences() to contain @file refs to the working directory; hardened Windows cmd.exe argument quoting.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / gemini-mcp-tool

Introduced in: 1.1.2 Fixed in: 1.1.6

Fix npm install gemini-mcp-tool@1.1.6

References

https://github.com/jamubc/gemini-mcp-tool/security/advisories/GHSA-4h5r-5jm8-jxjm [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-0755 [ADVISORY]
https://github.com/jamubc/gemini-mcp-tool [PACKAGE]
https://www.zerodayinitiative.com/advisories/ZDI-26-021 [WEB]