Chaos Mesh CVE-2025-59360: Brief Summary of Critical Command Injection in Kubernetes Chaos Controller Manager

This post provides a brief summary of CVE-2025-59360, a critical command injection vulnerability in Chaos Mesh's Chaos Controller Manager for Kubernetes. We cover the technical mechanism, affected versions, and vendor security context, with references to public advisories and research.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-15

Chaos Mesh CVE-2025-59360: Brief Summary of Critical Command Injection in Kubernetes Chaos Controller Manager
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution across an entire Kubernetes cluster is possible through a single API request to a widely used chaos engineering tool. CVE-2025-59360 enables unauthenticated attackers to execute arbitrary operating system commands on every node managed by Chaos Mesh, a platform trusted by reliability teams in production environments. This vulnerability, reported by JFrog Security Research, is rated critical with a CVSS score of 9.8 and is especially dangerous when paired with authentication bypass (CVE-2025-59358).

About Chaos Mesh: Chaos Mesh is an open-source chaos engineering platform incubated by the Cloud Native Computing Foundation. It is used by organizations worldwide to test the resilience of Kubernetes clusters through controlled fault injection. The project is maintained by a global community, with thousands of users and active deployments in both testing and production environments. Its deep integration with Kubernetes and privileged access to cluster nodes make it a high-impact component in cloud-native infrastructure.

Technical Information

CVE-2025-59360 is a command injection vulnerability in the killProcesses mutation of the Chaos Controller Manager component. This mutation allows users to terminate processes on cluster nodes as part of chaos experiments. The vulnerability occurs because user-supplied input to the mutation endpoint is not properly sanitized before being incorporated into shell commands executed by the underlying operating system.

When an attacker supplies specially crafted input containing shell metacharacters or command separators, the vulnerable code path passes this input directly to the shell. As a result, arbitrary commands can be executed with the privileges of the Chaos Daemon, which typically runs as a privileged DaemonSet on every node in the cluster. This enables attackers to:

  • Execute arbitrary commands on every node
  • Move laterally within the cluster
  • Exfiltrate sensitive data
  • Establish persistent access

The attack does not require prior authentication if CVE-2025-59358 is also present, as that vulnerability enables unauthenticated access to the mutation endpoint. The combination of these vulnerabilities allows for remote code execution across the cluster from any in-cluster location.

No public code snippets or detailed vulnerable code lines have been provided in the referenced materials. The vulnerability is confirmed and tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common root cause for command injection issues in software that constructs shell commands from user input.

Affected Systems and Versions

  • Product: Chaos Mesh (Cloud Native Computing Foundation incubating project)
  • Component: Chaos Controller Manager (killProcesses mutation)
  • Deployment: Kubernetes clusters with Chaos Mesh installed
  • Version information: No specific affected version numbers are provided in the public sources as of the publication date. All deployments using the killProcesses mutation in Chaos Controller Manager should be considered potentially vulnerable until official advisories specify otherwise.
  • Vulnerable configuration: Any cluster where the Chaos Controller Manager is reachable from untrusted or unauthenticated network locations, especially if CVE-2025-59358 is also present.

Vendor Security History

Chaos Mesh has a published security policy and has previously responded to vulnerabilities via public advisories and code updates. The project is actively maintained on GitHub, with a history of engaging with security researchers and addressing reported issues. Prior to 2025, no critical vulnerabilities were reported in Chaos Mesh (see CVE Details). The discovery of CVE-2025-59360 and related issues highlights the risks associated with privileged Kubernetes tooling and the importance of ongoing security review.

References

Detect & fix
what others miss