How ZeroPath Works
Back to Blog

Chaos Mesh CVE-2025-59361: Brief Summary of Critical Command Injection in cleanIptables Mutation

A brief summary of CVE-2025-59361, a critical OS command injection vulnerability in the cleanIptables mutation of Chaos Mesh's Controller Manager. This post covers technical details, affected versions, and vendor context based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-15

Chaos Mesh CVE-2025-59361: Brief Summary of Critical Command Injection in cleanIptables Mutation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution across an entire Kubernetes cluster is possible for unauthenticated in-cluster attackers due to a critical flaw in a core chaos engineering tool. CVE-2025-59361 impacts Chaos Mesh, an open-source chaos engineering platform incubated by the Cloud Native Computing Foundation and widely used for resilience testing in Kubernetes environments.

About Chaos Mesh:

  • Open-source project for chaos engineering on Kubernetes
  • Maintained by a community led by PingCAP, with CNCF incubation status
  • Used by organizations globally to test distributed system resilience

Technical Information

CVE-2025-59361 is an OS command injection vulnerability (CWE-78) in the cleanIptables mutation of the Chaos Controller Manager component in Chaos Mesh. The vulnerability arises from improper input validation when cleaning up iptables rules after network chaos experiments. If an attacker can influence the input to this function, they can inject arbitrary shell commands that are executed with the privileges of the Controller Manager.

The attack is especially severe when chained with CVE-2025-59358, which provides the initial access vector. Together, these flaws allow unauthenticated attackers with in-cluster access to achieve remote code execution across the cluster.

Key technical points:

  • The vulnerable function is responsible for cleaning up iptables rules after network chaos experiments
  • Input to this function is not properly sanitized, enabling injection of shell metacharacters and arbitrary commands
  • Chaos Mesh components such as the Chaos Daemon often run with elevated privileges, increasing the potential impact
  • The vulnerability is triggered during the cleanup phase of network chaos experiments

No public code snippets or direct code references are available in the provided sources, but the vulnerability is discussed in the context of the GitHub pull request #4702.

Affected Systems and Versions

  • Product: Chaos Mesh
  • Component: Chaos Controller Manager (cleanIptables mutation)
  • Version information: Specific affected versions are not listed in the public sources. All deployments using the vulnerable cleanIptables mutation are potentially affected, especially those not updated after September 15, 2025.
  • Vulnerable configurations: Any Kubernetes cluster running Chaos Mesh with network chaos functionality enabled and default permissions for the Chaos Daemon or Controller Manager.

Vendor Security History

  • Chaos Mesh has a limited history of publicly disclosed vulnerabilities (CVE Details).
  • The project is maintained by a community led by PingCAP and is incubated by CNCF.
  • Security fixes are addressed via GitHub pull requests, with the response to this vulnerability being prompt (PR #4702).

References

Detect & fix
what others miss

Get startedBook a demo