Introduction
Remote code execution across an entire Kubernetes cluster is possible through a single API request to a widely used chaos engineering tool. CVE-2025-59360 enables unauthenticated attackers to execute arbitrary operating system commands on every node managed by Chaos Mesh, a platform trusted by reliability teams in production environments. This vulnerability, reported by JFrog Security Research, is rated critical with a CVSS score of 9.8 and is especially dangerous when paired with authentication bypass (CVE-2025-59358).
About Chaos Mesh: Chaos Mesh is an open-source chaos engineering platform incubated by the Cloud Native Computing Foundation. It is used by organizations worldwide to test the resilience of Kubernetes clusters through controlled fault injection. The project is maintained by a global community, with thousands of users and active deployments in both testing and production environments. Its deep integration with Kubernetes and privileged access to cluster nodes make it a high-impact component in cloud-native infrastructure.
Technical Information
CVE-2025-59360 is a command injection vulnerability in the killProcesses mutation of the Chaos Controller Manager component. This mutation allows users to terminate processes on cluster nodes as part of chaos experiments. The vulnerability occurs because user-supplied input to the mutation endpoint is not properly sanitized before being incorporated into shell commands executed by the underlying operating system.
When an attacker supplies specially crafted input containing shell metacharacters or command separators, the vulnerable code path passes this input directly to the shell. As a result, arbitrary commands can be executed with the privileges of the Chaos Daemon, which typically runs as a privileged DaemonSet on every node in the cluster. This enables attackers to:
- Execute arbitrary commands on every node
- Move laterally within the cluster
- Exfiltrate sensitive data
- Establish persistent access
The attack does not require prior authentication if CVE-2025-59358 is also present, as that vulnerability enables unauthenticated access to the mutation endpoint. The combination of these vulnerabilities allows for remote code execution across the cluster from any in-cluster location.
No public code snippets or detailed vulnerable code lines have been provided in the referenced materials. The vulnerability is confirmed and tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common root cause for command injection issues in software that constructs shell commands from user input.
Affected Systems and Versions
- Product: Chaos Mesh (Cloud Native Computing Foundation incubating project)
- Component: Chaos Controller Manager (killProcesses mutation)
- Deployment: Kubernetes clusters with Chaos Mesh installed
- Version information: No specific affected version numbers are provided in the public sources as of the publication date. All deployments using the killProcesses mutation in Chaos Controller Manager should be considered potentially vulnerable until official advisories specify otherwise.
- Vulnerable configuration: Any cluster where the Chaos Controller Manager is reachable from untrusted or unauthenticated network locations, especially if CVE-2025-59358 is also present.
Vendor Security History
Chaos Mesh has a published security policy and has previously responded to vulnerabilities via public advisories and code updates. The project is actively maintained on GitHub, with a history of engaging with security researchers and addressing reported issues. Prior to 2025, no critical vulnerabilities were reported in Chaos Mesh (see CVE Details). The discovery of CVE-2025-59360 and related issues highlights the risks associated with privileged Kubernetes tooling and the importance of ongoing security review.
