Github.Com Chaos-Mesh Chaos-Mesh vulnerabilities
4 known vulnerabilities affecting github.com/chaos-mesh_chaos-mesh.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4
Vulnerabilities
Page 1 of 1
CVE-2025-59361P2HIGHCVSS 7.5≥ 0, < 2.7.32025-09-15
CVE-2025-59361 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
ghsaosv
CVE-2025-59359P2HIGHCVSS 7.5≥ 0, < 2.7.32025-09-15
CVE-2025-59359 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
ghsaosv
CVE-2025-59360P2HIGHCVSS 7.5≥ 0, < 2.7.32025-09-15
CVE-2025-59360 [HIGH] CWE-78 Chaos Controller Manager is vulnerable to OS command injection
Chaos Controller Manager is vulnerable to OS command injection
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
ghsaosv
CVE-2025-59358P3HIGH≥ 0, < 2.7.32025-09-15
CVE-2025-59358 [HIGH] CWE-306 Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
ghsaosv