Security researchers from Tenable have discovered a vulnerability called GerriScary in Google's open source code review system Gerrit. The vulnerability allowed malicious code to be injected into at least 18 central Google projects, including ChromiumOS (CVE-2025-1568), Chromium, Dart and Bazel. Attackers could have used GerriScary to manipulate existing change requests, bypass release mechanisms and inject malicious code into critical projects.
Advertising
Tenable's researchers found that misconfigured permissions in Gerrit – specifically the addPatchSet setting – combined with the way release conditions for change requests were inherited between revisions, opened up an exploitable attack path. This allowed threat actors to abuse automated merge processes to inject unchecked malicious code without any user interaction – creating a de facto zero-click supply chain exploit.
GerriScary illustrates the multi-layered risks in open source ecosystems and developer workflows, where misconfiguration and automation can unintentionally increase the attack surface, Tenable wrote to me.
"Trust is critical in software development – especially when it comes to open source collaboration platforms like Gerrit," said Liv Matan, Senior Security Researcher at Tenable. "GerriScary has opened up an exploitable attack pathway through which threat actors could bypass established security protocols and directly compromise core software projects – once again highlighting the need for even the most robust ecosystems to carefully vet every link in their supply chain."
Potential impact of GerriScary
If attackers had managed to exploit GerriScary, they would have:
- Inject malicious code into at least 18 widely used Google projects such as Chromium, Bazel and Dart
- Bypass human reviews through label inheritance and automation
- Manipulate code in software accessed by millions of users worldwide
Recommendations for security teams
Although Google has since fixed the vulnerability, Tenable recommends that companies using Gerrit:
- Check permissions – especially the default setting addPatchSet
- Disable or restrict the copying of labels between patch sets
- Check automated workflows to avoid race conditions on releases
"GerriScary clearly demonstrates why proactive security is essential. In increasingly complex IT environments, security teams need to identify and fix vulnerabilities early so that attackers don't have the chance to exploit them in the first place," adds Matan. Tenable has published the full research results here.
Advertising
Advertising
