The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
The cleanIptables mutation in Chaos Controller Manager does not properly validate input data passed to system commands, which is a classic CWE-78 (OS command injection) flaw. An attacker can inject arbitrary system commands that will be executed in the context of the management component. In combination with a separate CVE-2025-59358 vulnerability, it is possible to conduct an attack without having any privileges in the cluster, and the impact extends to all cluster nodes.
An unauthenticated attacker with network access inside the cluster can execute arbitrary code remotely (RCE) and — in combination with CVE-2025-59358 — take full control of the Kubernetes cluster, gaining high levels of confidentiality, integrity, and availability of resources.
Apply patches available from the vendor according to references — fix available via pull request #4702 in the chaos-mesh/chaos-mesh GitHub repository. It is recommended to urgently update Chaos Mesh to a version containing the patch and restrict network access to the Chaos Controller Manager component only to trusted entities within the cluster.
Chaos Mesh (Chaos-Mesh product) — versions indicated in vendor references (pull request #4702 on GitHub)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChaos Mesh
APPChaos-Mesh< 2.7.3
Related vulnerabilities
Command Injection w Chaos Mesh — RCE w klastrze Kubernetes
Command injection w Chaos Mesh umożliwia RCE w klastrze Kubernetes
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the en...
Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by...