CVE-2025-59359

Published Sep 15, 2025

Last updated 5 months ago

CVSS critical 9.8
graphql

Overview

Description
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
Source
reefs@jfrog.com
NVD status
Analyzed
Products
chaos_mesh

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

reefs@jfrog.com
CWE-78

Social media

Hype score
Not currently trending

  1. CVE-2025-59359 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59..https://t.co/biPbgKglGd #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    20 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover CVE-2025-59358 , CVE-2025-59360 , CVE-2025-59361 , CVE-2025-59359입니다. Chaotic Deputy의 마지막 세 가지 CVE는 심각도(CVSS 9.8)의 취약점으로, 클러스터 내 공격자

    @ngnicky

    16 Sept 2025

    150 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 💥 NEW #Security Research: We've uncovered "Chaotic Deputy," a set of 9.8-rated critical vulnerabilities in the Chaos Mesh platform including CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 and CVE-2025-59361. These flaws can lead to a full Kubernetes cluster takeover. We've ht

    @JFrogSecurity

    16 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-59359: CRITICAL] Chaos Controller Manager's cleanTcs mutation has OS command injection vulnerability. Together with CVE-2025-59358, unauthenticated attackers can execute code in the cluster.#cve,CVE-2025-59359,#cybersecurity https://t.co/XYQ4O6TQsH https://t.co/wEWii3Wt

    @CveFindCom

    15 Sept 2025

    183 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2025-59359 The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster a… https://t.co/2yTzjtGWOh

    @CVEnew

    15 Sept 2025

    321 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.CVE-2026-27128
  2. GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.CVE-2026-1387
  3. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.CVE-2025-14592
  4. Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.CVE-2026-23897
  5. GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.CVE-2026-23735

References

Sources include official advisories and independent security research.