VYPR
← All advisories
High severityOSV Advisory· Published Sep 15, 2025· Updated Sep 15, 2025

Denial of Service via Unauthorized Access to Chaos Mesh debugging server

CVE-2025-59358

Description

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chaos Mesh's Chaos Controller Manager exposes an unauthenticated GraphQL debugging API that allows attackers to kill arbitrary processes in any pod, enabling cluster-wide denial of service.

Vulnerability

Overview

The Chaos Controller Manager component of Chaos Mesh, a Kubernetes-native chaos engineering platform, exposes a GraphQL debugging server on port 10080 without any authentication [1][2]. This server provides an API that can be used to kill arbitrary processes in any Kubernetes pod within the cluster [3]. The service is accessible to any entity with network access to the cluster, including unprivileged pods [2].

Exploitation

An attacker who has already gained initial access to the cluster's network—for example, by compromising an unprivileged pod—can reach the unauthenticated GraphQL endpoint [2]. No additional credentials or permissions are required beyond network connectivity. The attacker can then craft GraphQL queries to terminate processes in any pod, effectively causing a denial of service condition across the cluster [3].

Impact

Successful exploitation allows the attacker to kill arbitrary processes in any pod, leading to a cluster-wide denial of service [3]. This can disrupt all applications running on the cluster, potentially causing data loss, service unavailability, and operational downtime. The vulnerability is part of a set of issues collectively named "Chaotic Deputy" by JFrog Security Research, which includes other critical vulnerabilities that could lead to full cluster takeover [2].

Mitigation

The vulnerability has been addressed in Chaos Mesh version 2.7.3 [2]. Users are strongly advised to upgrade to this fixed version as soon as possible. For those unable to upgrade immediately, the advisory suggests reviewing workarounds provided in the JFrog blog post [2]. The fix disables the debugging server by default, as indicated by the pull request that introduced in reference [1].

References
  1. chore!: disable chaosctl by default by g1eny0ung · Pull Request #4702 · chaos-mesh/chaos-mesh
  2. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover
  3. NVD - CVE-2025-59358

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/chaos-mesh/chaos-meshGo
< 2.7.32.7.3

Affected products

1

Patches

1
67281c36f806

chore!: disable chaosctl by default (#4702)

https://github.com/chaos-mesh/chaos-meshYue YangJul 22, 2025via ghsa
commit
4 files changed · +3 10
  • CHANGELOG.md+1 0 modified
    @@ -26,6 +26,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 - Adopt vite and swc in the Dashboard UI [#4688](https://github.com/chaos-mesh/chaos-mesh/pull/4688)
 - Update usage about helm-values-schema-json [#4719](https://github.com/chaos-mesh/chaos-mesh/pull/4719)
 - Update swag to v1.16.4
+- Update `enableCtrlServer` to `false` by default in the Helm chart [#4702](https://github.com/chaos-mesh/chaos-mesh/pull/4702)
 
 ### Deprecated
  • .github/workflows/integration_test.yml+1 1 modified
    @@ -85,7 +85,7 @@ jobs:
         run: |
           helm install --wait --create-namespace chaos-mesh helm/chaos-mesh \
             -n=chaos-mesh --set images.tag=latest --set chaosDaemon.env.DOCKER_API_VERSION=1.41 \
-            --set controllerManager.chaosdSecurityMode=false
+            --set controllerManager.chaosdSecurityMode=false,enableCtrlServer=true
           kubectl port-forward -n chaos-mesh svc/chaos-dashboard 2333:2333 &
 
       - uses: actions/setup-go@v5
  • helm/chaos-mesh/values.yaml+1 1 modified
    @@ -42,7 +42,7 @@ timezone: "UTC"
 enableProfiling: true
 
 # enableCtrlServer is a flag to enable ctrlserver which provides service to chaosctl in controller-manager.
-enableCtrlServer: true
+enableCtrlServer: false
 
 images:
   # images.registry is the global container registry for the images, you could replace it with your self-hosted container registry.
  • install.sh+0 8 modified
    @@ -1507,10 +1507,6 @@ spec:
       targetPort: pprof
       protocol: TCP
       name: pprof
-    - port: 10082
-      targetPort: ctrl
-      protocol: TCP
-      name: ctrl
     - port: 10080
       targetPort: http
       protocol: TCP
@@ -1879,8 +1875,6 @@ spec:
             value: "false"
           - name: PPROF_ADDR
             value: ":10081"
-          - name: CTRL_ADDR
-            value: ":10082"
           - name: CHAOS_DNS_SERVICE_NAME
             value: chaos-mesh-dns-server
           - name: CHAOS_DNS_SERVICE_PORT
@@ -1910,8 +1904,6 @@ spec:
             containerPort: 10080
           - name: pprof
             containerPort: 10081
-          - name: ctrl
-            containerPort: 10082
       volumes:
         - name: webhook-certs
           secret:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.