How ZeroPath Works
Back to Blog

Chaos Mesh CVE-2025-59358: Brief Summary of Cluster-wide GraphQL Authentication Bypass

This post provides a brief summary of CVE-2025-59358, a high-severity authentication bypass in Chaos Mesh's Controller Manager. The vulnerability exposes a GraphQL debugging server to the entire Kubernetes cluster without authentication, allowing arbitrary process termination in any pod and enabling denial of service attacks. Includes affected versions, technical details, and references.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-15

Chaos Mesh CVE-2025-59358: Brief Summary of Cluster-wide GraphQL Authentication Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Unrestricted process termination across every Kubernetes pod can instantly disrupt application availability and reliability in production clusters. Security teams using Chaos Mesh for chaos engineering should be aware that a recent vulnerability allows attackers to trigger cluster-wide denial of service by abusing a debugging interface.

About Chaos Mesh: Chaos Mesh is an open-source chaos engineering platform incubated by the CNCF and developed by PingCAP. It is widely adopted for resilience testing in Kubernetes environments, with hundreds of contributors and a significant footprint in the cloud-native ecosystem. Chaos Mesh provides fault injection, workflow orchestration, and advanced chaos experiment capabilities for Kubernetes clusters.

Technical Information

CVE-2025-59358 is a high-severity vulnerability (CVSS 7.5) in the Chaos Controller Manager component of Chaos Mesh. The issue is classified as CWE-306 (Missing Authentication for Critical Function).

Root Cause:

  • The Controller Manager exposes a GraphQL debugging server to the entire Kubernetes cluster network.
  • This GraphQL server lacks any authentication or authorization mechanism.
  • The server provides an API that allows users to kill arbitrary processes in any Kubernetes pod managed by the cluster.
  • Any user or service with network access to the Controller Manager can use GraphQL introspection to enumerate available operations and invoke mutations to terminate processes in pods.

Attack Flow:

  1. Attacker discovers the exposed GraphQL endpoint within the cluster.
  2. Using GraphQL introspection, the attacker enumerates available operations.
  3. The attacker crafts a mutation to invoke the process termination API.
  4. The Controller Manager, running with elevated privileges, executes the process kill in the targeted pod.
  5. Repeated use can result in cluster-wide denial of service.

No authentication or authorization is required at any step.

Affected Systems and Versions

  • Product: Chaos Mesh (CNCF incubating project)
  • Component: Chaos Controller Manager
  • The vulnerability affects all deployments where the Controller Manager's GraphQL debugging server is reachable from the cluster network and is not protected by authentication.
  • No specific version numbers or version ranges were provided in the available references. Users should check their deployment for exposure of the unauthenticated GraphQL endpoint.

Vendor Security History

  • Chaos Mesh maintains a public security policy and history of vulnerability disclosures on GitHub.
  • Previous security advisories are available: https://github.com/chaos-mesh/chaos-mesh/security
  • The vendor responded to CVE-2025-59358 with a public fix and coordinated disclosure with JFrog researchers.

References

Detect & fix
what others miss

Get startedBook a demo