Cybersecurity researchers have uncovered multiple critical security vulnerabilities in the chaos mesh, which, if exploited successfully, could lead to cluster takeovers in the Kubernetes environment.
“Attackers must exploit these vulnerabilities and minimize network access within the cluster to perform more malicious actions, such as platform failure injections (such as pod shutdowns and network communication disruptions), and steal privileged service account tokens.
Chaos Mesh is an open source, cloud-native chaos engineering platform that provides different types of fault simulation and simulates various anomalies that can occur during the software development lifecycle.
The issues that are collectively known as confounding are listed below –
- CVE-2025-59358 (CVSS Score: 7.5) – Chaos Mesh’s Chaos Controller Manager exposes GraphQL debug servers without authentication across Kubernetes clusters.
- CVE-2025-59359 (CVSS score: 9.8) – CleanTCS mutation in Chaos Controller Manager is vulnerable to operating system command injection
- CVE-2025-59360 (CVSS score: 9.8) – KillProcesses mutation in Chaos Controller Manager is vulnerable to operating system command injection
- CVE-2025-59361 (CVSS score: 9.8) – Cleaniptables mutation in Chaos Controller Manager is vulnerable to operating system command injection
Remote code execution can also be performed with the default configuration of CHAOS MESH using attackers within the cluster, namely CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, or CVE-2025-59358, which are threat actors with initial access to the cluster’s network.
JFrog said the vulnerability involves inadequate authentication mechanisms within the GraphQL Server of Chaos Controller Manager, allowing unauthenticated attackers to execute arbitrary commands in Chaos Daemon, resulting in cluster takeover.
Threat actors can leverage access to potentially exfiltrating data, disrupt critical services, or even move clusters sideways to escalate privileges.
Following the responsible disclosure on May 6, 2025, all the defects identified were addressed by Chaos Mesh on August 21 with the release of version 2.7.3.
Users are advised to update their installation to the latest version as soon as possible. If immediate patching is not an option, we recommend limiting network traffic to the chaotic mesh daemon and API servers, and not running chaotic meshes in open or loose environments.
