Introduction
Remote code execution across an entire Kubernetes cluster is possible for unauthenticated in-cluster attackers due to a critical flaw in Chaos Mesh. CVE-2025-59359, an OS command injection vulnerability in the cleanTcs mutation of the Chaos Controller Manager, enables this attack vector and poses a severe risk to organizations leveraging chaos engineering in production.
About Chaos Mesh: Chaos Mesh is an open-source chaos engineering platform designed for Kubernetes. Backed by the Cloud Native Computing Foundation (CNCF) as an incubating project, it is widely adopted by organizations such as Tencent and Meituan for resilience testing of distributed systems. Its privileged access to cluster resources and integration with CI/CD pipelines make it a critical component in many cloud-native environments.
Technical Information
CVE-2025-59359 is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability exists in the cleanTcs mutation function within the Chaos Controller Manager component of Chaos Mesh. This function is responsible for cleaning up Linux traffic control (TC) configurations after network chaos experiments.
The root cause is improper input validation: user-supplied parameters from chaos experiment specifications are concatenated directly into shell commands executed by the Controller Manager. If these parameters are not sanitized, attackers can inject arbitrary shell commands. When the vulnerable mutation is triggered, the injected commands execute with the privileges of the Controller Manager process, which typically has broad permissions in the Kubernetes environment.
The risk is significantly increased when CVE-2025-59359 is chained with CVE-2025-59358, which allows unauthenticated access to the mutation. This combination enables attackers with only in-cluster network access to achieve remote code execution across the cluster.
No public code snippets are available for this vulnerability. The technical details are confirmed through the references and vendor advisories.
Affected Systems and Versions
- Product: Chaos Mesh (Chaos Controller Manager component)
- Vulnerable Function: cleanTcs mutation
- Affected versions: Specific affected versions are not listed in the public references. Users should consult the official GitHub PR 4702 and vendor advisories for exact version information and upgrade guidance.
- Vulnerable configurations: Deployments where the Chaos Controller Manager is reachable by unauthenticated in-cluster users and where network chaos experiments are enabled.
Vendor Security History
Chaos Mesh has previously addressed vulnerabilities related to privilege escalation and code execution due to its privileged operational model. The project has responded to critical issues with timely patches and public advisories. As a CNCF incubating project, it is subject to community-driven security review, but its broad permissions and integration with cluster infrastructure continue to make it a high-value target for attackers.