CVE-2025-59358

Published Sep 15, 2025

Last updated 5 months ago

CVSS high 7.5

Overview

Description
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
Source
reefs@jfrog.com
NVD status
Analyzed
Products
chaos_mesh

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

reefs@jfrog.com
CWE-306

Social media

Hype score
Not currently trending

  1. CVE-2025-59358 (CVSS:7.5, HIGH) is Awaiting Analysis. The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kuber..https://t.co/Et2VIHY1dw #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    20 Sept 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Alert🚨CVE-2025-59358~CVE-2025-59361 : Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover 🧐Deep Dive :https://t.co/zGzdsSRVFg 📊1.6K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/rwc5HnzRZD 👇Qu

    @HunterMapping

    17 Sept 2025

    2856 Impressions

    20 Retweets

    53 Likes

    19 Bookmarks

    0 Replies

    0 Quotes

  3. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover CVE-2025-59358 , CVE-2025-59360 , CVE-2025-59361 , CVE-2025-59359입니다. Chaotic Deputy의 마지막 세 가지 CVE는 심각도(CVSS 9.8)의 취약점으로, 클러스터 내 공격자

    @ngnicky

    16 Sept 2025

    150 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 💥 NEW #Security Research: We've uncovered "Chaotic Deputy," a set of 9.8-rated critical vulnerabilities in the Chaos Mesh platform including CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 and CVE-2025-59361. These flaws can lead to a full Kubernetes cluster takeover. We've ht

    @JFrogSecurity

    16 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Chaos Mesh CVE-2025-59358: Cluster-wide Auth Bypass A new flaw in Chaos Mesh lets attackers bypass GraphQL auth, opening the door to cluster-wide access. Patch ASAP. For more details, read ZeroPath's blog on this vuln. #Kubernetes #AppSec #InfoSec https://t.co/0NO3uqWtAm

    @ZeroPathLabs

    15 Sept 2025

    31 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. [CVE-2025-59359: CRITICAL] Chaos Controller Manager's cleanTcs mutation has OS command injection vulnerability. Together with CVE-2025-59358, unauthenticated attackers can execute code in the cluster.#cve,CVE-2025-59359,#cybersecurity https://t.co/XYQ4O6TQsH https://t.co/wEWii3Wt

    @CveFindCom

    15 Sept 2025

    183 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. CVE-2025-59358 The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill a… https://t.co/DOCE1UptSl

    @CVEnew

    15 Sept 2025

    343 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-59359 The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster a… https://t.co/2yTzjtGWOh

    @CVEnew

    15 Sept 2025

    321 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-59360 The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-clust… https://t.co/df2q4asUxJ

    @CVEnew

    15 Sept 2025

    336 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-59361 The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-clust… https://t.co/s7pSZ2SmkZ

    @CVEnew

    15 Sept 2025

    288 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.CVE-2025-59361
  2. The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.CVE-2025-59360
  3. The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.CVE-2025-59359
  4. Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.CVE-2024-36538

References

Sources include official advisories and independent security research.