"GerriScary" vulnerability in Gerrit exposed code integrity risk across key Google projects

A recently disclosed vulnerability in Gerrit, the open-source code review system used by Google and others, may have exposed a pathway for unauthorised code to be introduced into critical software projects without standard approval processes. Security researchers at Tenable revealed that the flaw stemmed from misconfigured permissions and review label logic. In certain configurations, attackers could exploit a feature known as "addPatchSet" to modify already approved changes, potentially introducing malicious code without triggering a re-review.

A separate report by CybersecurityAsia.net confirmed that attackers could bypass manual review stages and use automated tools to insert unauthorised code with no user interaction.

At least 18 high-profile repositories were identified as vulnerable, including projects linked to Chromium, Dart, Bazel, and other infrastructure components. The issue also involved a race condition in the automated submission process, allowing attackers to act within a brief window before code was merged.

At the time of disclosure, no confirmed exploitation of the vulnerability had been observed in the wild. Tenable conducted responsible testing using benign code and did not attempt a full end-to-end exploit of the vulnerability.

Google has since implemented configuration changes to mitigate the problem. Meanwhile, Tenable has warned that other open-source projects using Gerrit should review their configurations, as similar settings may exist elsewhere, and it recommends that all Gerrit users audit permission rules and label persistence policies to ensure code integrity. The underlying misconfigurations may also affect other organisations using Gerrit, particularly where default permission settings and automated code submission processes are in place. This incident underscores the ongoing importance of secure development environments in the open-source ecosystem.