Home

Description

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.

PUBLISHED Reserved 2025-09-12 | Published 2025-09-15 | Updated 2025-09-15 | Assigner JFROG




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Any version
affected

References

github.com/chaos-mesh/chaos-mesh/pull/4702

jfrog.com/...-chaos-mesh-lead-to-kubernetes-cluster-takeover

cve.org (CVE-2025-59358)

nvd.nist.gov (CVE-2025-59358)

Download JSON