Tenable Uncovers “GerriScary” Supply‑Chain Compromise Vulnerability In Popular Google’s Open‑Source Projects

GerriScary allowed unauthorised code submission to at least 18 popular Google projects

New Delhi, June 18, 2025 -  Tenable, the exposure management company, has identified a vulnerability in Google’s open-source code review system, Gerrit, dubbed GerriScary. The vulnerability allowed unauthorised code submission to at least 18 major Google projects, including ChromiumOS (CVE-2025-1568), Chromium, Dart, and Bazel. GerriScary could have allowed attackers to submit unauthorised code revisions to existing change requests, bypassing manual approvals and enabling malicious code injection into major projects.

Tenable researchers discovered that misconfigured permissions in Gerrit, specifically the “addPatchSet” setting, combined with the way code tickets submit requirements were inherited between revisions, created an exploitable condition. As a result, attackers could exploit automated merging bots to deploy unreviewed malicious code with no user interaction, effectively creating a zero-click supply chain compromise.

GerriScary is a stark reminder of the cascading risks inherent in open-source ecosystems and automated developer workflows, where configuration weaknesses and automation can inadvertently widen the attack surface. "In software development, trust is paramount, especially in open-source collaboration platforms like Gerrit," said Liv Matan, Senior Security Researcher at Tenable. "GerriScary exposed a critical pathway for attackers to bypass established security protocols and directly compromise the integrity of core software projects. This serves as a stark reminder that even the most robust ecosystems must meticulously scrutinise every link in their supply chain."

Potential Impact of GerriScary Exploitation

If exploited, GerriScary could have allowed attackers to:

• Inject malicious code into widely used at least 18 Google projects such as Chromium, Bazel, and Dart

• Bypass human review through label inheritance and automation

• Tamper with code in software relied on by millions globally

Recommendations for Security Teams

While the specific flaw has been addressed by Google, Tenable recommends organisations using Gerrit:

• Audit permissions, especially the “addPatchSet” setting default

• Disable or restrict label copying across patch sets

• Review automation workflows to mitigate race conditions in approvals

“GerriScary underscores why proactive security is non-negotiable. As environments spiral in complexity, security teams simply must anticipate and mitigate risks before attackers even have a chance to exploit them,” added Matan.

Read the full research findings here:

https://www.tenable.com/blog/gerriscary-hacking-the-supply-chain-of-popular-google-products-chromiumos-chromium-bazel-dart

About Tenable

Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for approximately 44,000 customers around the globe. Learn more at tenable.com.

Media Contact:
Adarsh Ram 
+91 9741470477
adarsh@starsquaredpr.com