Cybersecurity researchers have identified critical security vulnerabilities in Chaos Mesh, which could enable attackers to take over Kubernetes clusters. The report from JFrog indicated that these vulnerabilities require only minimal access to the cluster network to exploit. Attackers can execute harmful actions, such as fault injections that disrupt services and steal sensitive tokens.
Chaos Mesh is an open-source platform designed for Chaos Engineering, allowing users to simulate various faults within a cloud-native environment. The vulnerabilities, collectively termed "Chaotic Deputy", include:
- CVE-2025-59358: The Chaos Controller Manager’s GraphQL debugging server is exposed without authentication, allowing unauthorized access to arbitrary processes and leading to potential denial-of-service across the cluster (CVSS score: 7.5).
- CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361: These issues present command injection vulnerabilities in different mutations of the Chaos Controller Manager, with a notably high CVSS score of 9.8.
An attacker already inside the cluster could combine these vulnerabilities to execute remote code, even in a default Chaos Mesh setup. The vulnerabilities arise from inadequate authentication measures in the Chaos Controller Manager’s GraphQL server, allowing attackers to issue arbitrary commands, leading to compromised clusters.
Following responsible disclosure on May 6, 2025, the Chaos Mesh team addressed these vulnerabilities with the release of version 2.7.3 on August 21. Users are encouraged to upgrade to this latest version promptly. In the interim, it’s advised to limit network traffic to the Chaos Mesh daemon and API server to mitigate the risks, especially in less secure environments.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.