CVE-2025-59358

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Chaos Mesh versions prior to 2.7.3

Description The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster. This server provides an API that allows attackers to kill arbitrary processes in any Kubernetes pod, potentially leading to a cluster-wide denial of service. The vulnerability stems from a missing authentication check for a critical function within the Chaos Controller Manager.

Recommendations Versions prior to 2.7.3 should be updated to version 2.7.3 or later.

Exploit

Fix

DoS

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2025-59358

GHSA-2GG8-85M5-8R2P

GO-2025-3951

OPENSUSE-SU-2025:15564-1

SUSE-SU-2025:03289-1

Affected Products

Chaos-Mesh

CVE-2025-59358

Weakness Enumeration

Related Identifiers

Affected Products

References · 68