Chaos Mesh
Products
1- 5 CVEs
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59361 | 0.00 | — | 0.03 | Sep 15, 2025 | The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | |||
| CVE-2025-59360 | 0.00 | — | 0.03 | Sep 15, 2025 | The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | |||
| CVE-2025-59359 | 0.00 | — | 0.03 | Sep 15, 2025 | The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | |||
| CVE-2025-59358 | 0.00 | — | 0.01 | Sep 15, 2025 | The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | |||
| CVE-2024-36538 | 0.00 | — | 0.01 | Jul 24, 2024 | Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
- CVE-2025-59361Sep 15, 2025risk 0.00cvss —epss 0.03
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59360Sep 15, 2025risk 0.00cvss —epss 0.03
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59359Sep 15, 2025risk 0.00cvss —epss 0.03
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59358Sep 15, 2025risk 0.00cvss —epss 0.01
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
- CVE-2024-36538Jul 24, 2024risk 0.00cvss —epss 0.01
Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.