AI description
CVE-2025-59358 affects Chaos Mesh, a chaos engineering platform for Kubernetes. The vulnerability lies in the Chaos Controller Manager, which exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster. This server provides an API that can be used to kill arbitrary processes in any Kubernetes pod. The lack of authentication on the GraphQL debugging server allows unauthenticated access to the GraphQL playground and query endpoint. An attacker with minimal in-cluster network access could exploit this vulnerability to perform unauthorized fault injections, potentially leading to a cluster-wide denial of service.
- Description
- The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
- Source
- reefs@jfrog.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- reefs@jfrog.com
- CWE-306
- Hype score
- Not currently trending
CVE-2025-59358 (CVSS:7.5, HIGH) is Awaiting Analysis. The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kuber..https://t.co/Et2VIHY1dw #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
20 Sept 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨CVE-2025-59358~CVE-2025-59361 : Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover 🧐Deep Dive :https://t.co/zGzdsSRVFg 📊1.6K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/rwc5HnzRZD 👇Qu
@HunterMapping
17 Sept 2025
2856 Impressions
20 Retweets
53 Likes
19 Bookmarks
0 Replies
0 Quotes
Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover CVE-2025-59358 , CVE-2025-59360 , CVE-2025-59361 , CVE-2025-59359입니다. Chaotic Deputy의 마지막 세 가지 CVE는 심각도(CVSS 9.8)의 취약점으로, 클러스터 내 공격자
@ngnicky
16 Sept 2025
150 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
💥 NEW #Security Research: We've uncovered "Chaotic Deputy," a set of 9.8-rated critical vulnerabilities in the Chaos Mesh platform including CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 and CVE-2025-59361. These flaws can lead to a full Kubernetes cluster takeover. We've ht
@JFrogSecurity
16 Sept 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chaos Mesh CVE-2025-59358: Cluster-wide Auth Bypass A new flaw in Chaos Mesh lets attackers bypass GraphQL auth, opening the door to cluster-wide access. Patch ASAP. For more details, read ZeroPath's blog on this vuln. #Kubernetes #AppSec #InfoSec https://t.co/0NO3uqWtAm
@ZeroPathLabs
15 Sept 2025
31 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
[CVE-2025-59359: CRITICAL] Chaos Controller Manager's cleanTcs mutation has OS command injection vulnerability. Together with CVE-2025-59358, unauthenticated attackers can execute code in the cluster.#cve,CVE-2025-59359,#cybersecurity https://t.co/XYQ4O6TQsH https://t.co/wEWii3Wt
@CveFindCom
15 Sept 2025
183 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-59360 The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-clust… https://t.co/df2q4asUxJ
@CVEnew
15 Sept 2025
336 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59358 The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill a… https://t.co/DOCE1UptSl
@CVEnew
15 Sept 2025
343 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59359 The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster a… https://t.co/2yTzjtGWOh
@CVEnew
15 Sept 2025
321 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59361 The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-clust… https://t.co/s7pSZ2SmkZ
@CVEnew
15 Sept 2025
288 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes