CVE-2025-59360
published 2025-09-15CVE-2025-59360: The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.81%
84.8th percentile
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chaos-mesh | chaos_mesh | < 2.7.3 | 2.7.3 |
| github.com | chaos-mesh_chaos-mesh | >= 0 < 2.7.3 | 2.7.3 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
osv·2025-09-17
CVE-2025-59360 Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/chaos-mesh/chaos-mesh before v2.7.3.
OSV
Chaos Controller Manager is vulnerable to OS command injection
osv·2025-09-15·CVSS 7.5
CVE-2025-59360 [HIGH] Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
GHSA
Chaos Controller Manager is vulnerable to OS command injection
ghsa·2025-09-15·CVSS 7.5
CVE-2025-59360 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
No detection rules found.
No public exploits indexed.
2025-09-15
Published