CVE-2025-59359

CRITICAL

Chaos-mesh Chaos Mesh < 2.7.3 - OS Command Injection

Title source: rule

Description

The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

Exploits (1)

nomisec WRITEUP 1 stars

by mrk336 · poc

https://github.com/mrk336/Cluster-Chaos-Exploiting-CVE-2025-59359-for-Kubernetes-Takeover

View Code ZIP pw:eip

References (2)

[Issue Tracking] https://github.com/chaos-mesh/chaos-mesh/pull/4702

[Exploit, Third Party Advisory] https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover

Scores

CVSS v3 9.8

EPSS 0.0152

EPSS Percentile 81.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

chaos-mesh/chaos-mesh 0 - 2.7.3Go

chaos-mesh/chaos_mesh < 2.7.3

Published Sep 15, 2025

Tracked Since Feb 18, 2026