A security vulnerability in Googleβs Gerrit platform, dubbed GerriScary, could have allowed attackers to inject malicious code into key projects through permission misconfigurations and race conditions. Google addressed the issue, which posed a significant supply chain threat, and the vulnerability has been officially assigned CVE-2025-1568. #GerritVulnerability #SupplyChainAttack
Keypoints
- A misconfiguration in Gerrit could allow malicious code injection into Google projects.
- The GerriScary vulnerability involves the addPatchSet permission and patch approval process.
- A race condition in the automated merge process could be exploited by attackers.
- Google limited permissions and addressed unsafe copy logic after being notified of the issue.
- The vulnerability, CVE-2025-1568, was rewarded with a $5,000 bug bounty and is rated as medium severity.
Read More: https://www.securityweek.com/gerrit-misconfiguration-exposed-google-projects-to-code-injection/