Overview
The gemini-mcp-tool package passes unsanitized user input to execAsync shell commands. Network-exploitable with no authentication or user interaction required. CVSS 9.8. As of disclosure, no patch is available (zero-day).
Who Is Affected
Disclosed by SentinelOne with proof-of-concept on the Zero Day Initiative. Affects all users of the gemini-mcp-tool package, which provides Gemini AI integration through MCP.
Where It Exists
The vulnerability is in the gemini-mcp-tool's command execution logic. User-supplied input is passed directly to execAsync without any sanitization, escaping, or parameterization.
When It Was Found
Disclosed January 9, 2026. This is a zero-day vulnerability -- no patch was available at time of disclosure. PoC available on ZDI.
How It Works
An attacker sends crafted input through any tool parameter that reaches the execAsync call. Since there is no authentication requirement and the vulnerability is network-exploitable, any system running the gemini-mcp-tool with network exposure can be compromised remotely. Shell metacharacters in the input execute arbitrary commands.
Impact
Unauthenticated remote code execution. This is the most severe class of vulnerability: network-accessible, requires no authentication, needs no user interaction, and has a public PoC. Attackers can fully compromise any system running the affected tool.
Mitigation
Remove or disable gemini-mcp-tool until a patch is available. If removal is not possible, restrict network access to the tool to trusted networks only. Replace execAsync with execFile using argument arrays if patching locally. Monitor the package repository for an official fix.