CRITICAL🇵🇱 Wersja polska

CVE-2025-59359

CVSS 9.8v3.1pub. 2025-09-15upd. 2025-10-14

The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

🤖 AI Analysis
How it works

An attacker inside the cluster can pass maliciously crafted data to the cleanTcs mutation in Chaos Controller Manager, which does not properly validate the input before passing it to a system call. This leads to arbitrary OS command injection (CWE-78). Combined with CVE-2025-59358, it is possible to carry out an unauthenticated attack, which ultimately allows code execution at the cluster level.

Impact

An unauthenticated attacker with access to the cluster network can take full control of the Kubernetes cluster through remote code execution (RCE), threatening the confidentiality, integrity, and availability of all cluster resources.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references — details in pull request #4702 on the official Chaos Mesh GitHub repository. Additionally, network access to the Chaos Controller Manager component should be restricted exclusively to trusted entities within the cluster until the patch is deployed.

Who is affected

Chaos Mesh (Chaos Controller Manager) — versions indicated in vendor references (patch pull request: https://github.com/chaos-mesh/chaos-mesh/pull/4702)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chaos Mesh

    APP
    Chaos-Mesh
    < 2.7.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-59360CRITICAL9.8PL ✓ten sam produkt

Command injection w Chaos Mesh umożliwia RCE w klastrze Kubernetes

CVE-2025-59361CRITICAL9.8PL ✓ten sam produkt

Command injection w Chaos Mesh — nieautoryzowane RCE w klastrze Kubernetes

CVE-2025-59358HIGH7.5ten sam produkt

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the en...

CVE-2024-36538HIGH8.8ten sam produkt

Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by...