CRITICAL🇵🇱 Wersja polska

CVE-2025-59360

CVSS 9.8v3.1pub. 2025-09-15upd. 2025-10-14

The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

🤖 AI Analysis
How it works

The killProcesses mutation in Chaos Controller Manager does not properly validate input data before passing it to system calls, leading to OS command injection (CWE-78). An attacker can craft appropriate input data that will be executed as system commands in the context of the manager. Exploiting this vulnerability together with CVE-2025-59358 enables an unauthenticated attacker inside the cluster to perform RCE on multiple cluster nodes.

Impact

An attacker can execute arbitrary code on Kubernetes cluster nodes, gaining full control over the confidentiality, integrity, and availability of cluster resources. In a chain attack scenario with CVE-2025-59358, complete cluster takeover is possible.

Mitigation & patch

Apply patches available from the vendor according to references — see pull request https://github.com/chaos-mesh/chaos-mesh/pull/4702. It is recommended to urgently update Chaos Mesh to a version containing the fix.

Who is affected

Chaos Mesh (Chaos-Mesh) — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chaos Mesh

    APP
    Chaos-Mesh
    < 2.7.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-59359CRITICAL9.8PL ✓ten sam produkt

Command Injection w Chaos Mesh — RCE w klastrze Kubernetes

CVE-2025-59361CRITICAL9.8PL ✓ten sam produkt

Command injection w Chaos Mesh — nieautoryzowane RCE w klastrze Kubernetes

CVE-2025-59358HIGH7.5ten sam produkt

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the en...

CVE-2024-36538HIGH8.8ten sam produkt

Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by...