CVE-2025-59359
📋 TL;DR
CVE-2025-59359 is an OS command injection vulnerability in Chaos Controller Manager's cleanTcs mutation that allows unauthenticated attackers within a Kubernetes cluster to execute arbitrary commands. Combined with CVE-2025-59358, this enables remote code execution across the entire cluster. This affects all Chaos Mesh deployments with vulnerable versions.
💻 Affected Systems
- Chaos Mesh
📦 What is this software?
Chaos Mesh by Chaos Mesh
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster takeover with attacker gaining control of all nodes, deploying malicious containers, exfiltrating sensitive data, and establishing persistent backdoors.
Likely Case
Attacker gains control of multiple nodes, deploys cryptocurrency miners or ransomware, and compromises sensitive workloads within the cluster.
If Mitigated
Attack limited to isolated namespace if proper network policies and RBAC are configured, but still significant impact within that scope.
🎯 Exploit Status
Exploitation requires in-cluster access but no authentication. Combined with CVE-2025-59358 makes exploitation straightforward for attackers with any foothold in the cluster.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.0
Vendor Advisory: https://github.com/chaos-mesh/chaos-mesh/pull/4702
Restart Required: Yes
Instructions:
1. Backup your Chaos Mesh configuration. 2. Update Chaos Mesh to version 2.8.0 using Helm: 'helm upgrade chaos-mesh chaos-mesh/chaos-mesh --namespace chaos-mesh --version 2.8.0'. 3. Verify all pods restart successfully. 4. Test chaos experiments to ensure functionality.
🔧 Temporary Workarounds
Disable Chaos Controller Manager
linuxTemporarily disable the vulnerable component while planning upgrade
kubectl scale deployment chaos-controller-manager --replicas=0 -n chaos-mesh
Restrict Network Access
linuxApply network policies to limit access to Chaos Mesh components
kubectl apply -f network-policy.yaml (create policy restricting traffic to Chaos Mesh namespace)
🧯 If You Can't Patch
- Isolate Chaos Mesh namespace with strict network policies and RBAC to limit blast radius
- Monitor for suspicious activity targeting Chaos Mesh components and implement runtime protection
🔍 How to Verify
Check if Vulnerable:
Check Chaos Mesh version: 'kubectl get deployment chaos-controller-manager -n chaos-mesh -o jsonpath="{.spec.template.spec.containers[0].image}" | grep -o ':[0-9.]*' | cut -d: -f2'Check Version:
helm list -n chaos-mesh | grep chaos-meshVerify Fix Applied:
Confirm version is 2.8.0 or higher and test that cleanTcs mutation no longer accepts untrusted input📡 Detection & Monitoring
Log Indicators:
- Unusual commands executed by chaos-controller-manager
- Multiple failed authentication attempts to Chaos Mesh API
- Unexpected pod creations from chaos-mesh namespace
Network Indicators:
- Unusual outbound connections from chaos-mesh namespace
- Traffic to suspicious external IPs from controller manager
SIEM Query:
source="kubernetes" ("chaos-controller-manager" AND ("exec" OR "command" OR "injection")) OR (namespace="chaos-mesh" AND ("unauthorized" OR "exploit"))