Vulnerabilities in Chaos-Mesh allow for internal code execution within the cluster
A series of critical vulnerabilities have been identified in the Chaos-Mesh platform, an open-source project focused on chaos engineering for Kubernetes. The Chaos Controller Manager, a key component of the platform, is affected by these vulnerabilities.
The vulnerabilities, tracked as CVE-2025-59358, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59359, each have a CVSS score of 9.8, indicating a high severity level. These vulnerabilities allow for straightforward OS command injection due to user input being concatenated directly into shell commands executed via the platform's ExecBypass routine.
One of the ways an attacker can exploit these vulnerabilities is by copying service account tokens from target pods into their own pod, escalating privileges cluster-wide. This can be achieved using exposed namespaces under and the nsexec helper.
Attackers with network access inside a cluster can call GraphQL mutations to trigger native fault injections. The flaws expose a GraphQL debug server that accepts unauthenticated queries, providing an entry point for potential attacks.
Injections can result in actions like killing processes and modifying iptables, posing a significant threat to the security of the cluster. The in-cluster compromises are common enough to make these vulnerabilities highly dangerous and easy to exploit, according to the report.
The Chaos-Mesh maintainers have responded rapidly to address these critical security issues. As a temporary workaround, redeploying the Helm chart with the control server disabled reduces exposure. However, the recommended solution is to keep Chaos Mesh components updated regularly and follow Kubernetes security best practices, including strict Role-Based Access Control (RBAC) policies and network segmentation.
Managed offerings that integrate Chaos-Mesh, such as Azure Chaos Studio, may also be affected. It is crucial for users to upgrade to Chaos-Mesh 2.7.3 immediately due to the ease of exploitation and potential for total cluster takeover.
The report does not mention any new CVSS scores for the vulnerabilities. Menashe, a security researcher, recommends swift upgrades, stating that these vulnerabilities are extremely easy to exploit.
The organization involved in the development of the Chaos Mesh platform is the Chaos Mesh community. They emphasize the importance of minimizing discovered security vulnerabilities and urge users to prioritize regular updates and Kubernetes security best practices.
Read also:
- Strengthening Defense against Multi-faceted menaces in the Age of Authority-driven Technology
- Industries Under Jeopardy Due to Multi-Accounting: Prevention Strategies Revealed in 2024
- Web3 Esports undergoes transformation as Aylab and CreataChain collaborate for a radical change
- Latest Tech Highlights: Top Gadgets of March 2025
