Security researchers discovered a critical vulnerability (CVE-2025-1568) in Google’s Gerrit code-review system, allowing any registered user to inject malicious code into 18 high-profile projects, including ChromiumOS, Dart, and Bazel.
Dubbed GerriScary, this exploit chain combines three dangerous elements:
- addPatchSet Overprivileging: Default permissions let external users modify existing code changes through Gerrit’s
refs/for/*namespace - Label Persistence Flaws: Misconfigured Copy Conditions allowed automatic approval carryover to malicious patch sets1
- Commit-Queue Race Exploit: 5-minute window to hijack automated merge bots after
Commit-Queue+2approvals
python# Example Gerrit permission configuration vulnerability
access "refs/for/*":
label-Code-Review = -2..+2 group Registered Users
submit = group Project Owners
push = group Registered Users
2. Technical Breakdown:
The exploit leverages Gerrit’s project.config file misconfigurations through three-phase execution:
Phase 1: Initial Access
- Attacker registers a free Gerrit account via Google authentication
- Uses scrapers to identify submittable changes with
status:submittablequeries1
Phase 2: Payload Delivery
bash# Sample Gerrit API call to modify commit message (POC)
curl -X POST --header "Content-Type: application/json" \
-d '{"message":"Innocuous message with hidden payload"}' \
https://chromium-review.googlesource.com/changes/12345/message
Returns 209 status code confirming write permissions
Phase 3: Automated Compromise
- Malicious patch sets inherit
Code-Review+2andVerified+1labels via flawed Copy Conditions - Commit-Queue bots merge poisoned changes within 300 seconds of final approval
3. Impact & Mitigation:
Google patched configurations across affected repositories, but third-party Gerrit implementations remain vulnerable:
| Project | Risk Factor |
|---|---|
| ChromiumOS | Critical1 |
| Bazel | Critical1 |
| Dart | High1 |
| BoringSSL | High1 |
| Android-KVM | High1 |
| Quiche | High1 |
Remediation Steps Implemented:
- Disabled
addPatchSetfor Registered Users group in ChromiumOS - Updated label persistence rules to reset approvals on patch updates
- Added manual review gates for Commit-Queue automation
Security teams using Gerrit must audit their project.config Files for similar permission structures and implement submit requirement validation workflows.
As open-source collaboration platforms expand, this incident underscores the importance of hardening CI/CD pipelines against permission escalation attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Security researchers discovered a critical vulnerability (CVE-2025-1568) in Google's Gerrit code-review system,){kind=link}