Vulnerability cyber

Google

Jun 17, 2025 1 min read
Google

A critical supply chain vulnerability dubbed 'GerriScary' (CVE-2025-1568) was discovered in Google's Gerrit code collaboration platform. This vulnerability allowed attackers to inject malicious code into at least 18 major Google projects, including ChromiumOS, Chromium, Dart, and Bazel. The flaw exploited misconfigurations in Gerrit, enabling unauthorized users to compromise trusted software repositories through a sophisticated attack chain. The vulnerability impacted critical projects across multiple domains, highlighting the potential for significant damage to Google's operations and reputation.

Source: https://cybersecuritynews.com/gerriscary/

TPRM report: https://scoringcyber.rankiteo.com/company/google

"id": "goo901061725",
"linkid": "google",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'Google',
                        'size': 'Large',
                        'type': 'Technology Company'}],
 'attack_vector': 'Misconfigurations in Gerrit code collaboration platform',
 'description': "A critical supply chain vulnerability dubbed 'GerriScary' "
                '(CVE-2025-1568) that could have allowed attackers to inject '
                'malicious code into at least 18 major Google projects, '
                'including ChromiumOS, Chromium, Dart, and Bazel.',
 'impact': {'systems_affected': ['ChromiumOS',
                                 'Chromium',
                                 'Dart',
                                 'Bazel',
                                 'Dawn',
                                 'BoringSSL',
                                 'Ceres Solver',
                                 'Quiche',
                                 'Android KVM',
                                 'various Linux-related projects']},
 'lessons_learned': 'Proper configuration of Gerrit’s Copy Conditions settings '
                    'is critical to prevent unauthorized code submission.',
 'motivation': 'Unauthorized code submission',
 'post_incident_analysis': {'corrective_actions': 'Reconfigured label '
                                                  'persistence settings and '
                                                  "restricted 'addPatchSet' "
                                                  'permissions',
                            'root_causes': 'Misconfigurations in Gerrit’s '
                                           'default settings and Copy '
                                           'Conditions settings'},
 'recommendations': 'Organizations using Gerrit should review and properly '
                    'configure their Copy Conditions settings to avoid similar '
                    'vulnerabilities.',
 'response': {'remediation_measures': ['Reconfigured label persistence '
                                       'settings',
                                       "Removed 'addPatchSet' permissions from "
                                       'registered users']},
 'title': 'GerriScary Vulnerability in Google’s Gerrit Platform',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-1568'}
Published by
Jeremy C
Jeremy C
You might also like
Vulnerability cyber

ASUS

public 1 min read
A critical authorization bypass vulnerability in ASUS Armoury Crate allows attackers to gain system-level privileges on Windows machines through hard…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.