"Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens," JFrog said in a report shared with The Hacker News. Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle."
"CVE-2025-59358 (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial-of-service An in-cluster attacker, i.e., a threat actor with initial access to the cluster's network, could chain CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, or with CVE-2025-59358 to perform remote code execution across the cluster, even in the default configuration of Chaos Mesh. JFrog said the vulnerabilities stem from insufficient authentication mechanisms within the Chaos Controller Manager's GraphQL server, allowing unauthenticated attackers to run arbitrar"
Multiple critical vulnerabilities in Chaos Mesh permit attackers with minimal in-cluster network access to execute fault injections, terminate processes, disrupt network communications, and exfiltrate privileged service account tokens. The issues include an unauthenticated GraphQL debugging server in the Chaos Controller Manager (CVE-2025-59358) and multiple operating system command injection flaws in cleanTcs, killProcesses, and cleanIptables mutations (CVE-2025-59359, CVE-2025-59360, CVE-2025-59361). CVSS scores reach up to 9.8, reflecting severe risk. Chaining these flaws enables remote code execution and potential cluster takeover even in default configurations. Insufficient authentication in the controller manager's GraphQL server is a primary enabling factor.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]