BURSTA critical supply chain vulnerability dubbed “GerriScary” (CVE-2025-1568) that could have allowed attackers to inject malicious code into at least 18 major Google projects, including ChromiumOS, Chromium, Dart, and Bazel.
The vulnerability uncovered by Tenable security researcher Liv Matan exploits the misconfigurations in Google’s Gerrit code collaboration platform, enabling unauthorized users to compromise trusted software repositories through a sophisticated attack chain.
GerriScary leveraged three interconnected components to achieve unauthorized code submission. First, Gerrit’s default configuration grants the “addPatchSet” permission to all registered users, allowing anyone with a Google account to modify existing code changes.
Second, vulnerable projects contained logic flaws in their “Copy Conditions” settings, which determine whether approval labels from previous code reviews carry over to new revisions.
The most dangerous aspect involved exploiting a race condition with automated submission bots. Attackers could identify code changes already approved with “Commit-Queue +2” labels indicating readiness for automated merger and inject malicious code during the narrow window before bot execution.
In ChromiumOS and Dart repositories, this window lasted approximately five minutes, while other Google repositories provided only seconds to minutes.
GerriScary Allows Hack of 18 Google Projects
Liv Matan observed that they could fingerprint vulnerable projects by analyzing HTTP response codes when attempting to modify commit messages. A “209” status code indicated the presence of required permissions without generating noise in project logs. This technique enabled mass scanning of Google’s Gerrit infrastructure to identify affected repositories.
The attack chain worked by monitoring for submittable code changes with fulfilled requirements, then racing the automated bot submission process.
When exploitation code detected changes labeled “Commit-Queue +2,” it would inject malicious patches that retained all previous approvals due to misconfigured copy conditions, resulting in unauthorized code merging without user interaction.
The vulnerability impacted critical Google projects across multiple domains. ChromiumOS, the foundation of Chrome OS devices, was among the most significant targets.
Other affected projects included Dart (Flutter’s programming language), Dawn and BoringSSL (third-party Chromium dependencies), Bazel (Google’s build system), and Gerrit itself. Additional vulnerable repositories included Ceres Solver, Quiche, Android KVM, and various Linux-related projects1.
Liv Matan demonstrated the vulnerability’s impact by successfully injecting innocent comments into ChromiumOS projects, with evidence visible in the ChromiumOS code search tool. To maintain ethical research standards, they avoided testing the complete race condition component in production environments.
Google responded swiftly to the disclosure, implementing multiple remediation measures. The company reconfigured label persistence settings across affected projects, ensuring new patch sets require fresh code reviews and verifications.
Additionally, the ChromiumOS team removed “addPatchSet” permissions from registered users, restricting the capability to trusted contributors only.
While Google has secured its managed projects, the researchers warn that other organizations utilizing Gerrit may remain vulnerable to similar attacks.
The complexity of configuring Copy Conditions properly suggests that misconfigurations could be widespread across the broader Gerrit ecosystem, potentially exposing numerous open-source and enterprise projects to supply chain compromises.
Vulnerable Projects Table
| Project Name | Gerrit Review URL | Description |
|---|---|---|
| ChromiumOS | https://chromium-review.googlesource.com/c/chromiumos | Foundation operating system for Chrome OS devices |
| Dart | https://dart-review.googlesource.com/ | Frontend programming language, the backbone of Flutter applications |
| Dawn | https://dawn-review.googlesource.com/ | Third-party Chromium dependency for WebGPU implementation |
| BoringSSL | https://boringssl-review.googlesource.com/ | Third-party Chromium dependency for cryptographic operations |
| GN | https://gn-review.googlesource.com/ | Build system used by Chromium, Fuchsia, and related projects |
| Bazel | https://bazel-review.googlesource.com | Google’s primary build engine and automation system |
| Gerrit | https://gerrit-review.googlesource.com/#(/zull/jobs) | Code review platform itself (/zull/jobs and /gcompute-tools components) |
| Ceres Solver | https://ceres-solver-review.googlesource.com/ | C++ library for modeling and solving optimization problems |
| Code Review | https://code-review.googlesource.com/ | General code review system including Git mirror implementation |
| Quiche | https://quiche-review.googlesource.com | Google’s production-ready implementation of QUIC, HTTP/2, HTTP/3 protocols |
| Android KVM | https://android-kvm-review.googlesource.com/ | Virtualized Android runtime environment |
| OpenSecura | https://opensecura-review.googlesource.com/ | AI hardware backbone infrastructure |
| CUE | https://cue-review.googlesource.com/ | Data validation language and tooling |
| Linux | https://linux-review.googlesource.com/ | Google’s fork of the open-source operating system |
| Plan9port | https://plan9port-review.googlesource.com/ | Unix implementation with Plan 9 utilities and extensions |
| Hafnium | https://hafnium-review.googlesource.com/ | System component that provides memory isolation capabilities |
| Nginx | https://nginx-review.googlesource.com/ | High-performance web server implementation |
| Weave | https://weave-review.googlesource.com/ | Network application layer protocol implementation |
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Google’s Gerrit Code Platform Vulnerability Allows Hack of 18 Google Projects Including ChromiumOS appeared first on Cyber Security News.