VYPR
← All advisories
Critical severityOSV Advisory· Published Sep 15, 2025· Updated Sep 15, 2025

OS command injection in Chaos Mesh via the killProcesses mutation

CVE-2025-59360

Description

The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The killProcesses mutation in Chaos Controller Manager allows OS command injection, enabling unauthenticated in-cluster attackers to achieve remote code execution across the cluster.

Vulnerability

Overview

The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. This flaw allows an attacker to inject arbitrary operating system commands through this GraphQL endpoint. When combined with CVE-2025-59358, which bypasses authentication, the vulnerability becomes exploitable by unauthenticated attackers with network access to the cluster [1][2][3].

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must have initial access to the cluster's network. This access can be achieved even from an unprivileged pod. The attacker can then reach the Chaos Controller Manager's GraphQL server, which is exposed by default, and execute the killProcesses mutation with injected commands. No authentication is required due to the chained CVE-2025-59358 [2].

Impact

Successful exploitation allows the attacker to run arbitrary OS commands on any pod in the cluster. This enables actions such as stealing privileged service account tokens, deploying malicious workloads, or causing widespread disruption. The impact is a full cluster takeover, as the attacker can leverage the injected commands to compromise other components [2][3].

Mitigation

The Chaos Mesh maintainers have released version 2.7.3, which fixes these vulnerabilities by disabling the chaosctl feature by default and addressing the command injection in killProcesses [1][2]. Users are strongly advised to upgrade immediately. If upgrading is not possible, refer to the vendor's workarounds section for interim measures [2].

References
  1. chore!: disable chaosctl by default by g1eny0ung · Pull Request #4702 · chaos-mesh/chaos-mesh
  2. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover
  3. NVD - CVE-2025-59360

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/chaos-mesh/chaos-meshGo
< 2.7.32.7.3

Affected products

1

Patches

1
67281c36f806

chore!: disable chaosctl by default (#4702)

https://github.com/chaos-mesh/chaos-meshYue YangJul 22, 2025via ghsa
commit
4 files changed · +3 10
  • CHANGELOG.md+1 0 modified
    @@ -26,6 +26,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 - Adopt vite and swc in the Dashboard UI [#4688](https://github.com/chaos-mesh/chaos-mesh/pull/4688)
 - Update usage about helm-values-schema-json [#4719](https://github.com/chaos-mesh/chaos-mesh/pull/4719)
 - Update swag to v1.16.4
+- Update `enableCtrlServer` to `false` by default in the Helm chart [#4702](https://github.com/chaos-mesh/chaos-mesh/pull/4702)
 
 ### Deprecated
  • .github/workflows/integration_test.yml+1 1 modified
    @@ -85,7 +85,7 @@ jobs:
         run: |
           helm install --wait --create-namespace chaos-mesh helm/chaos-mesh \
             -n=chaos-mesh --set images.tag=latest --set chaosDaemon.env.DOCKER_API_VERSION=1.41 \
-            --set controllerManager.chaosdSecurityMode=false
+            --set controllerManager.chaosdSecurityMode=false,enableCtrlServer=true
           kubectl port-forward -n chaos-mesh svc/chaos-dashboard 2333:2333 &
 
       - uses: actions/setup-go@v5
  • helm/chaos-mesh/values.yaml+1 1 modified
    @@ -42,7 +42,7 @@ timezone: "UTC"
 enableProfiling: true
 
 # enableCtrlServer is a flag to enable ctrlserver which provides service to chaosctl in controller-manager.
-enableCtrlServer: true
+enableCtrlServer: false
 
 images:
   # images.registry is the global container registry for the images, you could replace it with your self-hosted container registry.
  • install.sh+0 8 modified
    @@ -1507,10 +1507,6 @@ spec:
       targetPort: pprof
       protocol: TCP
       name: pprof
-    - port: 10082
-      targetPort: ctrl
-      protocol: TCP
-      name: ctrl
     - port: 10080
       targetPort: http
       protocol: TCP
@@ -1879,8 +1875,6 @@ spec:
             value: "false"
           - name: PPROF_ADDR
             value: ":10081"
-          - name: CTRL_ADDR
-            value: ":10082"
           - name: CHAOS_DNS_SERVICE_NAME
             value: chaos-mesh-dns-server
           - name: CHAOS_DNS_SERVICE_PORT
@@ -1910,8 +1904,6 @@ spec:
             containerPort: 10080
           - name: pprof
             containerPort: 10081
-          - name: ctrl
-            containerPort: 10082
       volumes:
         - name: webhook-certs
           secret:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.