{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gemini-mcp-tool--1.1.2--1.1.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["gemini-mcp-tool (\u003e= 1.1.2, \u003c 1.1.6)"],"_cs_severities":["critical"],"_cs_tags":["command-injection","file-exfiltration","npm","cli-tool","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-0755, exists in versions 1.1.2 through 1.1.5 of the npm package \u003ccode\u003egemini-mcp-tool\u003c/code\u003e. This flaw allows an attacker to achieve OS command injection on Windows systems by exploiting improper handling of unquoted \u003ccode\u003ecmd.exe\u003c/code\u003e metacharacters when the tool processes untrusted prompt input. Simultaneously, the tool's \u003ccode\u003e@file\u003c/code\u003e parser can be abused to read and exfiltrate arbitrary local files from the host system, including sensitive configuration files like \u003ccode\u003e/etc/passwd\u003c/code\u003e or private keys such as \u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e. The vulnerability stems from insufficient sanitization and quoting of user-supplied prompt data before it is processed by the tool or passed to the underlying operating system. This could lead to full system compromise or extensive data theft, affecting organizations utilizing this specific CLI tool in their development or operational workflows. The issue was addressed in version 1.1.6, which includes hardened Windows \u003ccode\u003ecmd.exe\u003c/code\u003e argument quoting and restricts \u003ccode\u003e@file\u003c/code\u003e references to the working directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Prompt\u003c/strong\u003e: An attacker creates a specially crafted prompt input containing \u003ccode\u003ecmd.exe\u003c/code\u003e metacharacters (e.g., \u003ccode\u003e\u0026amp;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e) for OS command injection or \u003ccode\u003e@file\u003c/code\u003e references (e.g., \u003ccode\u003e@/etc/passwd\u003c/code\u003e) for file exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Executes Vulnerable Tool\u003c/strong\u003e: The \u003ccode\u003egemini-mcp-tool\u003c/code\u003e (versions 1.1.2 to 1.1.5), often run via \u003ccode\u003enode.exe\u003c/code\u003e as an npm package, is executed with the attacker-controlled malicious prompt as an argument.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImproper Argument Handling (Windows)\u003c/strong\u003e: On Windows systems, the vulnerable tool processes the prompt without adequately quoting the \u003ccode\u003ecmd.exe\u003c/code\u003e metacharacters, leading to them being interpreted as separate commands when passed to the underlying shell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOS Command Injection\u003c/strong\u003e: The \u003ccode\u003egemini-mcp-tool\u003c/code\u003e or its child process (e.g., \u003ccode\u003enode.exe\u003c/code\u003e spawning \u003ccode\u003ecmd.exe\u003c/code\u003e) executes the injected OS commands, allowing the attacker to run arbitrary commands on the system with the privileges of the tool.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSensitive File Access (File Exfiltration)\u003c/strong\u003e: Alternatively, if the prompt includes \u003ccode\u003e@file\u003c/code\u003e references to sensitive paths (e.g., \u003ccode\u003e@C:\\Windows\\System32\\drivers\\etc\\hosts\u003c/code\u003e or \u003ccode\u003e@/etc/passwd\u003c/code\u003e), the \u003ccode\u003egemini-mcp-tool\u003c/code\u003e's internal parser will attempt to read these files from the local filesystem, bypassing intended directory restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Remote Code Execution\u003c/strong\u003e: The content of the accessed sensitive files can be retrieved or exfiltrated by the attacker, or the successful command injection grants the attacker remote code execution capabilities, enabling further compromise, persistence, or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0755 allows for critical impact, including full system compromise through remote code execution on affected Windows systems. Attackers can execute arbitrary commands, install malware, create new user accounts, or modify system configurations. Furthermore, the ability to exfiltrate arbitrary local files poses a severe risk of sensitive data exposure, including credentials, private keys, intellectual property, and internal system configurations. This could lead to significant financial losses, reputational damage, and regulatory penalties. The nature of the package suggests potential impact across development environments, CI/CD pipelines, or systems where this CLI tool is used for Gemini-related operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-0755 immediately\u003c/strong\u003e by upgrading \u003ccode\u003egemini-mcp-tool\u003c/code\u003e to version 1.1.6 or higher to address both OS command injection and file exfiltration vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon process_creation logging\u003c/strong\u003e on all Windows endpoints and servers to activate the rules provided in this brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief\u003c/strong\u003e to your SIEM and tune for your environment to detect suspicious command execution patterns involving \u003ccode\u003enode.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e and attempts to read sensitive files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement strict input validation\u003c/strong\u003e for any applications or scripts that pass user-controlled input directly to the \u003ccode\u003egemini-mcp-tool\u003c/code\u003e CLI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T20:49:02Z","date_published":"2026-06-18T20:49:02Z","id":"https://feed.craftedsignal.io/briefs/2026-06-gemini-mcp-tool-rce-exfiltration/","summary":"A critical vulnerability, CVE-2026-0755, in npm's gemini-mcp-tool package allows for OS command injection on Windows systems due to improper handling of unquoted cmd.exe metacharacters, and arbitrary local file exfiltration via the @file parser when processing untrusted prompt input, leading to potential remote code execution and sensitive data compromise.","title":"gemini-mcp-tool Vulnerable to OS Command Injection and File Exfiltration (CVE-2026-0755)","url":"https://feed.craftedsignal.io/briefs/2026-06-gemini-mcp-tool-rce-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Gemini-Mcp-Tool (\u003e= 1.1.2, \u003c 1.1.6)","version":"https://jsonfeed.org/version/1.1"}