VYPR
← All advisories
Critical severityOSV Advisory· Published Sep 15, 2025· Updated Sep 15, 2025

OS command injection in Chaos Mesh via the cleanIptables mutation

CVE-2025-59361

Description

The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OS command injection in Chaos Mesh's cleanIptables mutation allows unauthenticated in-cluster RCE when combined with CVE-2025-59358.

The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. This flaw, tracked as CVE-2025-59361, allows an attacker to inject arbitrary commands through the mutation's input, leading to remote code execution [2][3].

The vulnerability can be exploited by an in-cluster attacker with network access to the Chaos Controller Manager's GraphQL server. Despite being unauthenticated, the attack requires initial cluster network access, which is common in compromised container scenarios. When combined with CVE-2025-59358, the attacker can achieve remote code execution across the entire cluster [2].

Successful exploitation grants the attacker the ability to execute arbitrary commands on any pod in the cluster, potentially leading to full cluster compromise. The attacker can steal privileged service account tokens, deploy additional malwares, or disrupt cluster operations [2].

Mitigation is available in Chaos Mesh version 2.7.3. Users unable to upgrade should consider network segmentation or disabling the chaosctl feature as a temporary workaround [2][1].

References
  1. chore!: disable chaosctl by default by g1eny0ung · Pull Request #4702 · chaos-mesh/chaos-mesh
  2. Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover
  3. NVD - CVE-2025-59361

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/chaos-mesh/chaos-meshGo
< 2.7.32.7.3

Affected products

1

Patches

1
67281c36f806

chore!: disable chaosctl by default (#4702)

https://github.com/chaos-mesh/chaos-meshYue YangJul 22, 2025via ghsa
commit
4 files changed · +3 10
  • CHANGELOG.md+1 0 modified
    @@ -26,6 +26,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 - Adopt vite and swc in the Dashboard UI [#4688](https://github.com/chaos-mesh/chaos-mesh/pull/4688)
 - Update usage about helm-values-schema-json [#4719](https://github.com/chaos-mesh/chaos-mesh/pull/4719)
 - Update swag to v1.16.4
+- Update `enableCtrlServer` to `false` by default in the Helm chart [#4702](https://github.com/chaos-mesh/chaos-mesh/pull/4702)
 
 ### Deprecated
  • .github/workflows/integration_test.yml+1 1 modified
    @@ -85,7 +85,7 @@ jobs:
         run: |
           helm install --wait --create-namespace chaos-mesh helm/chaos-mesh \
             -n=chaos-mesh --set images.tag=latest --set chaosDaemon.env.DOCKER_API_VERSION=1.41 \
-            --set controllerManager.chaosdSecurityMode=false
+            --set controllerManager.chaosdSecurityMode=false,enableCtrlServer=true
           kubectl port-forward -n chaos-mesh svc/chaos-dashboard 2333:2333 &
 
       - uses: actions/setup-go@v5
  • helm/chaos-mesh/values.yaml+1 1 modified
    @@ -42,7 +42,7 @@ timezone: "UTC"
 enableProfiling: true
 
 # enableCtrlServer is a flag to enable ctrlserver which provides service to chaosctl in controller-manager.
-enableCtrlServer: true
+enableCtrlServer: false
 
 images:
   # images.registry is the global container registry for the images, you could replace it with your self-hosted container registry.
  • install.sh+0 8 modified
    @@ -1507,10 +1507,6 @@ spec:
       targetPort: pprof
       protocol: TCP
       name: pprof
-    - port: 10082
-      targetPort: ctrl
-      protocol: TCP
-      name: ctrl
     - port: 10080
       targetPort: http
       protocol: TCP
@@ -1879,8 +1875,6 @@ spec:
             value: "false"
           - name: PPROF_ADDR
             value: ":10081"
-          - name: CTRL_ADDR
-            value: ":10082"
           - name: CHAOS_DNS_SERVICE_NAME
             value: chaos-mesh-dns-server
           - name: CHAOS_DNS_SERVICE_PORT
@@ -1910,8 +1904,6 @@ spec:
             containerPort: 10080
           - name: pprof
             containerPort: 10081
-          - name: ctrl
-            containerPort: 10082
       volumes:
         - name: webhook-certs
           secret:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.