High severityOSV Advisory· Published Sep 15, 2025· Updated Sep 15, 2025
Denial of Service via Unauthorized Access to Chaos Mesh debugging server
CVE-2025-59358
Description
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/chaos-mesh/chaos-meshGo | < 2.7.3 | 2.7.3 |
Affected products
5- Range: chart-0.1.0, chart-0.1.1, chart-0.2.0, …
- ghsa-coords4 versionspkg:golang/github.com/chaos-mesh/chaos-meshpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 2.7.3+ 3 more
- (no CPE)range: < 2.7.3
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250917T170349-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2gg8-85m5-8r2pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59358ghsaADVISORY
- github.com/chaos-mesh/chaos-mesh/commit/67281c36f8068bf103149318cd0a466417213a28ghsaWEB
- github.com/chaos-mesh/chaos-mesh/pull/4702ghsaWEB
- jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeoverghsaWEB
News mentions
0No linked articles in our index yet.