CVE-2025-59358 – The Chaos Controller Manager in Chaos Mesh expo... (How to Fix)

Q: What is the severity of CVE-2025-59358?

CVE-2025-59358 has a CVSS score of 7.5 (HIGH). The Chaos Controller Manager in Chaos Mesh exposes an unauthenticated GraphQL debugging server that allows attackers to kill arbitrary processes in any Kubernetes pod. This leads to cluster-wide denial of service by terminating critical system processes. All Kubernetes clusters running vulnerable versions of Chaos Mesh are affected.

📋 TL;DR

The Chaos Controller Manager in Chaos Mesh exposes an unauthenticated GraphQL debugging server that allows attackers to kill arbitrary processes in any Kubernetes pod. This leads to cluster-wide denial of service by terminating critical system processes. All Kubernetes clusters running vulnerable versions of Chaos Mesh are affected.

💻 Affected Systems

Products:

Chaos Mesh

Versions: All versions before the fix in PR #4702

Operating Systems: Linux (Kubernetes environments)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Chaos Mesh deployments where the Chaos Controller Manager is running with the vulnerable GraphQL debugging server enabled.

📦 What is this software?

Chaos Mesh by Chaos Mesh

View all CVEs affecting Chaos Mesh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster-wide denial of service by killing critical system processes across all pods, potentially causing extended downtime and data loss.

🟠

Likely Case

Targeted disruption of specific applications or services by killing key processes, leading to partial service outages.

🟢

If Mitigated

Limited impact if network policies restrict access to the debugging server or if authentication is properly configured.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires cluster access, exposed Kubernetes clusters with Chaos Mesh could be targeted.

🏢 Internal Only: HIGH - Any compromised pod or malicious insider with cluster network access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the Chaos Controller Manager service within the Kubernetes cluster.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version including PR #4702

Vendor Advisory: https://github.com/chaos-mesh/chaos-mesh/pull/4702

Restart Required: Yes

Instructions:

1. Update Chaos Mesh to version containing PR #4702. 2. Restart Chaos Controller Manager pods. 3. Verify the GraphQL debugging server is no longer exposed without authentication.

🔧 Temporary Workarounds

Network Policy Restriction

linux

Apply Kubernetes Network Policies to restrict access to the Chaos Controller Manager service.

kubectl apply -f network-policy.yaml

Service Account Restriction

linux

Limit service account permissions and use RBAC to control access to Chaos Mesh components.

kubectl apply -f rbac-restrictions.yaml

🧯 If You Can't Patch

Implement strict network segmentation to isolate Chaos Mesh components from other cluster resources.
Deploy intrusion detection systems to monitor for process termination patterns across pods.

🔍 How to Verify

Check if Vulnerable:

Check if Chaos Controller Manager exposes port 2333 (GraphQL debugging server) without authentication: kubectl get svc -n chaos-mesh-testing | grep chaos-controller-manager

Check Version:

kubectl describe deployment chaos-controller-manager -n chaos-mesh-testing | grep Image

Verify Fix Applied:

Verify port 2333 is not exposed or requires authentication: kubectl describe svc chaos-controller-manager -n chaos-mesh-testing

📡 Detection & Monitoring

Log Indicators:

Unexpected process terminations across multiple pods
GraphQL queries to Chaos Controller Manager debugging endpoint

Network Indicators:

Traffic to port 2333 on Chaos Controller Manager from unauthorized sources

SIEM Query:

source="kubernetes" AND (event="process_terminated" OR port=2333)

📊 Metadata

CVE ID: CVE-2025-59358

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-306

EPSS Score: 0.49% exploit probability (65th percentile)

Published: September 15, 2025

Last Updated: October 14, 2025

🔗 References

https://github.com/chaos-mesh/chaos-mesh/pull/4702 Issue Tracking,Patch
https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59358, you might also want to check these: