CVE-2025-59358
published 2025-09-15CVE-2025-59358: The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.99%
58.0th percentile
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chaos-mesh | chaos_mesh | < 2.7.3 | 2.7.3 |
| github.com | chaos-mesh_chaos-mesh | >= 0 < 2.7.3 | 2.7.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh
osv·2025-09-17
CVE-2025-59358 Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/chaos-mesh/chaos-mesh before v2.7.3.
GHSA
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
ghsa·2025-09-15
CVE-2025-59358 [HIGH] CWE-306 Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
OSV
Chaos Controller Manager is vulnerable to OS command injection
osv·2025-09-15·CVSS 7.5
CVE-2025-59360 [HIGH] Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
GHSA
Chaos Controller Manager is vulnerable to OS command injection
ghsa·2025-09-15·CVSS 7.5
CVE-2025-59360 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
OSV
Chaos Controller Manager is vulnerable to OS command injection
osv·2025-09-15·CVSS 7.5
CVE-2025-59361 [HIGH] Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
GHSA
Chaos Controller Manager is vulnerable to OS command injection
ghsa·2025-09-15·CVSS 7.5
CVE-2025-59359 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
GHSA
Chaos Controller Manager is vulnerable to OS command injection
ghsa·2025-09-15·CVSS 7.5
CVE-2025-59361 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
OSV
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
osv·2025-09-15
CVE-2025-59358 [HIGH] Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
OSV
Chaos Controller Manager is vulnerable to OS command injection
osv·2025-09-15·CVSS 7.5
CVE-2025-59359 [HIGH] Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
No detection rules found.
No public exploits indexed.
2025-09-15
Published