A misconfiguration in the Gerrit collaboration platform could have allowed attackers to inject malicious code into popular Google projects, Tenable reports.
Developed by Google, Gerrit is an open source code collaboration and review platform that allows developers to propose and approve code changes before they are merged into projects.
Registration to Gerrit is open to anyone and Google uses the platform for ChromiumOS, Bazel, Dart, Gerrit itself, third-party Chromium packages, and multiple other projects.
According to Tenable, a default permission in at least 18 Google projects, along with a race condition in the automated process of pushing approved commits, could have allowed attackers to inject malicious code without user interaction and launch supply chain attacks.
The issue, named GerriScary by Tenable, is related to the addPatchSet permission, which allows registered users to make changes to existing code change suggestions, and to the patch approval process, which could have allowed attackers to modify approved code changes without triggering a fresh code review.
Any code change would need to fulfil specific submit requirements and label scores before it would be merged by a bot, but misconfigured permissions resulted in changes remaining trusted and approved even after malicious code was injected.
Specifically, the security firm discovered that multiple Google projects lacked properly configured permissions for a Gerrit mechanism called ‘Copy Conditions’, allowing for their labels to be copied to additional patch sets.
Essentially, this allowed Tenable to add malicious patches to code changes and retain the submit requirements.
Furthermore, the security firm discovered a race condition in the merge process, which allowed it to modify trusted and approved code changes just before the automated bot would merge them.
Attackers, Tenable explains, could query the Gerrit API or write a script to hook changes with a submittable status and which have been labeled to be merged, and then inject malicious code in the change, just minutes before the automated bot merges it.
“It’s a matter of 5 minutes in ChromiumOS and in Dart repositories as an example, and seconds to a minute on other Google repositories, until the change is merged by the bot, including the malicious code. This is the exact race window the attacker has,” Tenable explains.
Because GerriScary resides in misconfigured permissions, any project that has not addressed the issue is susceptible to supply chain attacks leading to malicious code being injected in trusted pipelines, Tenable says.
The security firm reported the issue to Google on October 18. On October 28, Google confirmed that it had limited the addPatchSet permission to trusted contributors and that it was working on addressing the unsafe copy logic, which should have triggered a new code review requirement.
On November 7, the internet giant confirmed that the flaws were addressed in all Chrome/ChromeOS-related Gerrit projects, assessing the issue as ‘medium severity’ and noting that an audit of copy conditions found them safe.
“We have not found any indications that this vulnerability was previously exploited,” Google said.
In January, the company notified Tenable that their report was awarded a $5,000 bug bounty reward. In February, CVE-2025-1568 was issued for the vulnerability.
Related: Watch on Demand: Supply Chain & Third-Party Risk Security Summit
Related: 100 Car Dealerships Hit by Supply Chain Attack
Related: React Native Aria Packages Backdoored in Supply Chain Attack
