Google Cloud Shell command injection

Published Tue, Dec 28th, 2021


A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters, which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos, "go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear, as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing could be used to try and coerce a user into running a command that exposed their credentials to the attacker. Google mitigated this issue by preventing users from being able to provide both parameters at once.

Affected Services

Cloud Shell


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Exploitablity Period
Until 2021/01/23
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Ademar Nowasky Junior