CVE-2025-59361
CRITICALchaos-mesh < 2.7.3 - Unauthenticated Remote Code Execution via cleanIptables Mutation
Title source: llmDescription
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
References (2)
Core 2
Core References
Issue Tracking
https://github.com/chaos-mesh/chaos-mesh/pull/4702
Exploit, Third Party Advisory
https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover
Scores
CVSS v3
9.8
EPSS
0.0327
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
chaos-mesh/chaos-mesh
0 - 2.7.3Go
chaos-mesh/chaos_mesh
< 2.7.3
Published
Sep 15, 2025
Tracked Since
Feb 18, 2026