CVE-2025-59361 – CVE-2025-59361 is an OS command injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-59361?

CVE-2025-59361 has a CVSS score of 9.8 (CRITICAL). CVE-2025-59361 is an OS command injection vulnerability in Chaos Mesh's cleanIptables mutation that allows unauthenticated attackers within a Kubernetes cluster to execute arbitrary commands. When combined with CVE-2025-59358, this enables remote code execution across the entire cluster. All Chaos Mesh deployments with the vulnerable component are affected.

📋 TL;DR

CVE-2025-59361 is an OS command injection vulnerability in Chaos Mesh's cleanIptables mutation that allows unauthenticated attackers within a Kubernetes cluster to execute arbitrary commands. When combined with CVE-2025-59358, this enables remote code execution across the entire cluster. All Chaos Mesh deployments with the vulnerable component are affected.

💻 Affected Systems

Products:

Chaos Mesh

Versions: Versions before 2.9.0

Operating Systems: Linux (Kubernetes nodes)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Chaos Controller Manager component to be deployed; vulnerable in default configurations.

📦 What is this software?

Chaos Mesh by Chaos Mesh

View all CVEs affecting Chaos Mesh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster takeover where attackers gain root access to all nodes, deploy malicious containers, exfiltrate sensitive data, and establish persistent backdoors.

🟠

Likely Case

Attackers compromise multiple nodes, deploy cryptocurrency miners or ransomware, and potentially pivot to other cloud resources.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and monitoring that detects anomalous command execution.

🌐 Internet-Facing: LOW (requires in-cluster access, not directly internet-exposed)

🏢 Internal Only: HIGH (exploitable by any pod/container within the cluster)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit chain with CVE-2025-59358 is documented in public research; attackers need only network access to the controller manager service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.0

Vendor Advisory: https://github.com/chaos-mesh/chaos-mesh/pull/4702

Restart Required: Yes

Instructions:

1. Update Chaos Mesh to version 2.9.0 or later. 2. Delete and recreate Chaos Mesh controller manager pods to ensure new version is running. 3. Verify all components are using patched version.

🔧 Temporary Workarounds

Network Policy Restriction

linux

Restrict network access to Chaos Controller Manager service to only trusted namespaces/pods.

kubectl apply -f network-policy.yaml

Disable Vulnerable Component

linux

Temporarily disable Chaos Controller Manager if not essential for operations.

kubectl scale deployment chaos-controller-manager --replicas=0

🧯 If You Can't Patch

Implement strict network policies to isolate Chaos Mesh components from other pods
Enable audit logging for all command execution and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Chaos Mesh version: kubectl get deployment chaos-controller-manager -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl get deployment chaos-controller-manager -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o '2\.9\.\d+'

Verify Fix Applied:

Confirm version is 2.9.0 or later and test that cleanIptables mutation no longer accepts untrusted input

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from chaos-controller-manager pods
iptables commands with unexpected arguments
Shell command patterns in controller logs

Network Indicators:

Unexpected outbound connections from controller manager pods
Traffic to known malicious IPs or domains

SIEM Query:

source="k8s-audit" AND "chaos-controller-manager" AND ("exec" OR "command" OR "iptables")

📊 Metadata

CVE ID: CVE-2025-59361

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.58% exploit probability (68.4th percentile)

Published: September 15, 2025

Last Updated: October 14, 2025

🔗 References

https://github.com/chaos-mesh/chaos-mesh/pull/4702 Issue Tracking
https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59361, you might also want to check these: