The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
The killProcesses mutation in Chaos Controller Manager does not properly validate input data before passing it to system calls, leading to OS command injection (CWE-78). An attacker can craft appropriate input data that will be executed as system commands in the context of the manager. Exploiting this vulnerability together with CVE-2025-59358 enables an unauthenticated attacker inside the cluster to perform RCE on multiple cluster nodes.
An attacker can execute arbitrary code on Kubernetes cluster nodes, gaining full control over the confidentiality, integrity, and availability of cluster resources. In a chain attack scenario with CVE-2025-59358, complete cluster takeover is possible.
Apply patches available from the vendor according to references — see pull request https://github.com/chaos-mesh/chaos-mesh/pull/4702. It is recommended to urgently update Chaos Mesh to a version containing the fix.
Chaos Mesh (Chaos-Mesh) — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChaos Mesh
APPChaos-Mesh< 2.7.3
Related vulnerabilities
Command Injection w Chaos Mesh — RCE w klastrze Kubernetes
Command injection w Chaos Mesh — nieautoryzowane RCE w klastrze Kubernetes
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the en...
Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by...