The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
An attacker inside the cluster can pass maliciously crafted data to the cleanTcs mutation in Chaos Controller Manager, which does not properly validate the input before passing it to a system call. This leads to arbitrary OS command injection (CWE-78). Combined with CVE-2025-59358, it is possible to carry out an unauthenticated attack, which ultimately allows code execution at the cluster level.
An unauthenticated attacker with access to the cluster network can take full control of the Kubernetes cluster through remote code execution (RCE), threatening the confidentiality, integrity, and availability of all cluster resources.
Patches available from the vendor should be applied in accordance with the references — details in pull request #4702 on the official Chaos Mesh GitHub repository. Additionally, network access to the Chaos Controller Manager component should be restricted exclusively to trusted entities within the cluster until the patch is deployed.
Chaos Mesh (Chaos Controller Manager) — versions indicated in vendor references (patch pull request: https://github.com/chaos-mesh/chaos-mesh/pull/4702)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChaos Mesh
APPChaos-Mesh< 2.7.3
Related vulnerabilities
Command injection w Chaos Mesh umożliwia RCE w klastrze Kubernetes
Command injection w Chaos Mesh — nieautoryzowane RCE w klastrze Kubernetes
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the en...
Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by...