Cybersecurity researchers have disclosed a number of important security vulnerabilities in Chaos Mesh that, if efficiently exploited, might result in cluster takeover in Kubernetes environments.
“Attackers want solely minimal in-cluster community entry to take advantage of these vulnerabilities, execute the platform’s fault injections (equivalent to shutting down pods or disrupting community communications), and carry out additional malicious actions, together with stealing privileged service account tokens,” JFrog stated in a report shared with The Hacker Information.
Chaos Mesh is an open-source cloud-native Chaos Engineering platform that gives varied kinds of fault simulation and simulates varied abnormalities which may happen in the course of the software program growth lifecycle.
The problems, collectively referred to as Chaotic Deputy, are listed beneath –
- CVE-2025-59358 (CVSS rating: 7.5) – The Chaos Controller Supervisor in Chaos Mesh exposes a GraphQL debugging server with out authentication to the whole Kubernetes cluster, which gives an API to kill arbitrary processes in any Kubernetes pod, resulting in cluster-wide denial-of-service
- CVE-2025-59359 (CVSS rating: 9.8) – The cleanTcs mutation in Chaos Controller Supervisor is weak to working system command injection
- CVE-2025-59360 (CVSS rating: 9.8) – The killProcesses mutation in Chaos Controller Supervisor is weak to working system command injection
- CVE-2025-59361 (CVSS rating: 9.8) – The cleanIptables mutation in Chaos Controller Supervisor is weak to working system command injection
An in-cluster attacker, i.e., a menace actor with preliminary entry to the cluster’s community, might chain CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, or with CVE-2025-59358 to carry out distant code execution throughout the cluster, even within the default configuration of Chaos Mesh.
JFrog stated the vulnerabilities stem from inadequate authentication mechanisms inside the Chaos Controller Supervisor’s GraphQL server, permitting unauthenticated attackers to run arbitrary instructions on the Chaos Daemon, leading to cluster takeover.
Risk actors might then leverage the entry to doubtlessly exfiltrate delicate knowledge, disrupt important providers, and even transfer laterally throughout the cluster to escalate privileges.
Following accountable disclosure on Could 6, 2025, all of the recognized shortcomings have been addressed by Chaos Mesh with the discharge of model 2.7.3 on August 21.
Customers are suggested to replace their installations to the newest model as quickly as attainable. If quick patching will not be an choice, it is really useful to limit community site visitors to the Chaos Mesh daemon and API server, and keep away from working Chaos Mesh in open or loosely secured environments.
“Platforms equivalent to Chaos Mesh give, by design, full management of the Kubernetes cluster to the platform,” Shachar Menashe, vp of security analysis at JFrog, stated in an announcement shared with The Hacker Information. “This flexibility can develop into a important danger when vulnerabilities equivalent to Chaotic Deputy are found.”
