Critical severityOSV Advisory· Published Sep 15, 2025· Updated Sep 15, 2025
OS command injection in Chaos Mesh via the killProcesses mutation
CVE-2025-59360
Description
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/chaos-mesh/chaos-meshGo | < 2.7.3 | 2.7.3 |
Affected products
5- Range: chart-0.1.0, chart-0.1.1, chart-0.2.0, …
- ghsa-coords4 versionspkg:golang/github.com/chaos-mesh/chaos-meshpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 2.7.3+ 3 more
- (no CPE)range: < 2.7.3
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250917T170349-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xv9f-728h-9jgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59360ghsaADVISORY
- github.com/chaos-mesh/chaos-mesh/commit/67281c36f8068bf103149318cd0a466417213a28ghsaWEB
- github.com/chaos-mesh/chaos-mesh/pull/4702ghsaWEB
- jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeoverghsaWEB
News mentions
0No linked articles in our index yet.