Google Gerrit Flaw ‘GerriScary’ Enabled 0-Click Code Injections

Tenable has uncovered a critical vulnerability in Google’s Gerrit open-source code review system, named “GerriScary.”

The flaw, tracked as CVE-2025-1568, allowed unauthorized users to inject code into at least 18 major Google projects, including ChromiumOS, Chromium, Dart, and Bazel.

Researchers found the issue stemmed from misconfigured default permissions — specifically the “addPatchSet” setting — and a logic flaw that allowed label inheritance across revisions.

These factors enabled a zero-click compromise by exploiting automated merging bots without human review.

“In software development, trust is paramount, especially in open-source collaboration platforms like Gerrit,” said Liv Matan, senior security researcher at Tenable.

“GerriScary exposed a critical pathway for attackers to bypass established security protocols and directly compromise the integrity of core software projects,” Matan added.

The vulnerability could have allowed attackers to inject malicious code into widely used software relied on by millions globally.

Affected projects include ChromiumOS, Chromium packages, Dart, and Bazel.

The U.S. National Vulnerability Database identified the flaw as a potential risk for remote code execution and denial-of-service.

Google has since patched the vulnerability across all affected repositories.

Tenable recommends that organizations using Gerrit audit permissions, especially the “addPatchSet” setting.

It also advises disabling or restricting label copying across patch sets.

Security teams should review automation workflows to mitigate race conditions in code approvals and merges.

“GerriScary underscores why proactive security is non-negotiable,” said Matan.

“As environments spiral in complexity, security teams simply must anticipate and mitigate risks before attackers even have a chance to exploit them,” she added.

Experts say the incident underscores the risk automation can pose in developer workflows when not paired with stringent access controls.

They urge software teams to regularly review CI/CD pipeline configurations and implement secure defaults.

The case serves as a cautionary tale of how supply chain security gaps in trusted platforms can have far-reaching impacts across the tech ecosystem.