CVE-2025-59360

Published Sep 15, 2025

Last updated 5 months ago

CVSS critical 9.8
graphql

Overview

Description
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
Source
reefs@jfrog.com
NVD status
Analyzed
Products
chaos_mesh

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

reefs@jfrog.com
CWE-78

Social media

Hype score
Not currently trending

  1. CVE-2025-59360 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-20..https://t.co/eFroPTsKQp #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    20 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover CVE-2025-59358 , CVE-2025-59360 , CVE-2025-59361 , CVE-2025-59359입니다. Chaotic Deputy의 마지막 세 가지 CVE는 심각도(CVSS 9.8)의 취약점으로, 클러스터 내 공격자

    @ngnicky

    16 Sept 2025

    150 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 💥 NEW #Security Research: We've uncovered "Chaotic Deputy," a set of 9.8-rated critical vulnerabilities in the Chaos Mesh platform including CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 and CVE-2025-59361. These flaws can lead to a full Kubernetes cluster takeover. We've ht

    @JFrogSecurity

    16 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-59360 i Chaos Controller Manager tillåter obehörig fjärrkodexekvering genom kommandoinjektion. En allvarlig sårbarhet som kan leda till katastrofala konsekvenser för kluster. Se över era säkerhetsåtgärder! #säkerhet #cybersäkerhet #CVE

    @Sakerhetsblogg

    15 Sept 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-59360 Unauthenticated Remote Code Execution in Chaos Controller Manager killProcesses Mutation https://t.co/izsqAl6xyi

    @VulmonFeeds

    15 Sept 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. [CVE-2025-59360: CRITICAL] Chaos Controller Manager's killProcesses mutation is vulnerable to OS command injection, enabling unauthenticated in-cluster attackers to execute remote code across the cluster.#cve,CVE-2025-59360,#cybersecurity https://t.co/IhaxSEBGCm https://t.co/uWNc

    @CveFindCom

    15 Sept 2025

    156 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-59360 The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-clust… https://t.co/df2q4asUxJ

    @CVEnew

    15 Sept 2025

    336 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.CVE-2026-27128
  2. GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.CVE-2026-1387
  3. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.CVE-2025-14592
  4. Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.CVE-2026-23897
  5. GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.CVE-2026-23735

References

Sources include official advisories and independent security research.