Tenable uncovers ‘GerriScary’ supply chain compromise vulnerability in popular Google’s open source projects
Tenable has identified a vulnerability in Google’s open-source code review system, Gerrit, dubbed GerriScary. The vulnerability allowed unauthorised code submission to at least 18 major Google projects, including ChromiumOS (CVE-2025-1568), Chromium, Dart, and Bazel. GerriScary could have allowed attackers to submit unauthorised code revisions to existing change requests, bypassing manual approvals and enabling malicious code injection into major projects.
Tenable researchers discovered that misconfigured permissions in Gerrit, specifically the “addPatchSet” setting, combined with the way code tickets submit requirements were inherited between revisions, created an exploitable condition. As a result, attackers could exploit automated merging bots to deploy unreviewed malicious code with no user interaction, effectively creating a zero-click supply chain compromise.
GerriScary is a stark reminder of the cascading risks inherent in open-source ecosystems and automated developer workflows, where configuration weaknesses and automation can inadvertently widen the attack surface. “In software development, trust is paramount, especially in open-source collaboration platforms like Gerrit,” said Liv Matan, Senior Security Researcher at Tenable. GerriScary exposed a critical pathway for attackers to bypass established security protocols and directly compromise the integrity of core software projects. This serves as a stark reminder that even the most robust ecosystems must meticulously scrutinise every link in their supply chain.”
Potential Impact of Gerri Scary Exploitation
If exploited, GerriScary could have allowed attackers to:
- Inject malicious code into at least 18 widely used Google projects, such as Chromium, Bazel, and Dart
- Bypass human review through label inheritance and automation
- Tamper with code in software relied on by millions globally
Recommendations for Security Teams
While the specific flaw has been addressed by Google, Tenable recommends organisations use Gerrit:
- Audit permissions, especially the “addPatchSet” setting, default
- Disable or restrict label copying across patch sets
- Review automation workflows to mitigate race conditions in approvals
“GerriScary underscores why proactive security is non-negotiable. As environments spiral in complexity, security teams simply must anticipate and mitigate risks before attackers even have a chance to exploit them,” added Matan.
