The execAsync method of Gemini MCP Tool lacks proper validation of user‑supplied strings before executing them as system commands, enabling attackers to inject arbitrary shell instructions. This flaw permits the execution of code without any authentication, and the code runs with the privileges of the service account. The vulnerability is a classic command injection, classified as CWE‑78, and can allow attackers to compromise the entire host if they can reach the vulnerable endpoint.

Gemini MCP Tool installations are impacted, regardless of version, as the flaw exists in the core implementation of the execAsync method. Users running this tool in any environment should verify whether the software is deployed and consider it vulnerable until patched.

The CVSS score of 9.8 indicates extremely high severity, and although the EPSS score is below 1%, meaning current exploitation activity appears low, the potential for a successful attack remains significant due to the lack of authentication requirement. The vulnerability is not listed in CISA’s KEV catalog, but the critical nature of the flaw and the high impact warrant immediate attention. Attackers can remotely craft malicious input to the execAsync interface and trigger arbitrary code execution in the context of the service account, which may lead to privilege escalation, data loss, or denial of service.