A critical supply chain vulnerability dubbed “GerriScary” has been discovered that could have allowed attackers to inject malicious code. This vulnerability, tracked as CVE-2025-1568, affected at least eighteen major Google projects, including ChromiumOS, Dart, and also Bazel. The security flaw, which was uncovered by Tenable security researcher Liv Matan, exploits misconfigurations in Google’s Gerrit code collaboration platform. This could have enabled unauthorized users to compromise trusted software repositories through a very sophisticated and stealthy attack chain. The vulnerability represents a significant threat to the software supply chain, potentially affecting millions of downstream users of these popular projects.
GerriScary leveraged three interconnected components to achieve the goal of unauthorized code submission by an unauthenticated remote attacker.
First, Gerrit’s default configuration granted the “addPatchSet” permission to all of its registered users with a valid Google account. Second, many vulnerable projects contained various logic flaws in their important “Copy Conditions” settings, which determine approval label carry-over. The most dangerous aspect involved exploiting a race condition with the platform’s automated code submission bots to inject malicious code.
This created a narrow window of just seconds or up to five minutes for an attacker to inject their malicious patches.
The researcher, Liv Matan, observed that he could successfully fingerprint vulnerable projects by analyzing specific HTTP response codes from the server. A “209” status code indicated the presence of required permissions without generating any kind of noise in the project’s system logs. The attack chain worked by monitoring for submittable code changes that had already fulfilled all of their necessary review requirements. When the exploit code detected code changes that were labeled with “Commit-Queue +2,” it would then inject the malicious patches. These malicious patches retained all of the previous approvals due to the misconfigured copy conditions, resulting in unauthorized code merging into the main branch.
Google has responded swiftly to the responsible disclosure of this significant and widespread software supply chain security vulnerability by researchers. The company immediately reconfigured all of the label persistence settings across all of the affected Google software development projects. Additionally, the ChromiumOS team completely removed the “addPatchSet” permissions from all of its regular registered users on the platform. While Google has now successfully secured its own managed projects, the researchers warn that other organizations utilizing Gerrit may still remain vulnerable. The complexity of properly configuring “Copy Conditions” suggests that these specific types of misconfigurations could be widespread across the broader Gerrit ecosystem.
