Google Patches Critical RCE Flaw in Antigravity AI Tool

Google has released a patch for a critical remote code execution (RCE) vulnerability in its experimental AI product codenamed “Antigravity,” which provides agentic capabilities for filesystem operations. The flaw, discovered by researchers at Dark Reading, stemmed from an insufficient input sanitization routine that failed to properly neutralize prompt‑injection payloads embedded in file names and content. By crafting a file with a maliciously formatted name containing nested braces and command‑like substrings, an attacker could cause the LLM‑powered agent to interpret the payload as a privileged instruction, bypassing the sandbox and executing arbitrary code on the host system.

The vulnerability was traced to the component that normalizes user‑supplied text before it is fed into the language model. Although the code stripped known dangerous keywords such as “exec” and “system,” it overlooked certain syntactic elements that the model’s decoder could reinterpret as function calls. This oversight allowed the injection to slip through validation, ultimately granting the attacker the same level of access as the underlying service account, which in many deployments held read‑write permissions across critical directories.

Google’s security team addressed the issue in version 2.4.1 of Antigravity by implementing stricter input validation, including a whitelist of permissible characters, deeper parsing of nested structures, and the enforcement of a hardened sandbox environment that limits system calls. The company has assigned a CVSS score of 9.8 to the flaw and urges all users to update immediately to mitigate the risk of exploitation. The incident highlights the growing attack surface introduced by integrating large language models with privileged system operations, underscoring the need for robust sanitization and defense‑in‑depth strategies in AI‑centric products.

In addition to the patch, Google has launched a bug‑bounty program for the Antigravity tool and is working with third‑party auditors to review similar components across its AI portfolio. Organizations that cannot apply the update immediately should disable the filesystem‑operation features of Antigravity and monitor for anomalous behavior such as unexpected process spawns or unusual file access patterns. The case serves as a reminder that even AI‑assisted automation can become a vector for compromise if security controls are not aligned with the unique parsing behavior of language models.