Login Sign Up

CVE-2025-8793

4.3 MEDIUM

📋 TL;DR

This vulnerability in LitmusChaos Litmus allows attackers to manipulate resource identifiers via the projectID argument, potentially leading to unauthorized access or resource manipulation. It affects LitmusChaos Litmus up to version 3.19.0. The vulnerability can be exploited remotely and has been publicly disclosed.

💻 Affected Systems

Products:
  • LitmusChaos Litmus
Versions: up to 3.19.0
Operating Systems: All platforms running LitmusChaos
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with the vulnerable functionality enabled. The exact component is unspecified but involves projectID manipulation.

📦 What is this software?

Litmus by Litmuschaos

View all CVEs affecting Litmus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive project data, resource manipulation, or privilege escalation within the LitmusChaos environment.

🟠

Likely Case

Unauthorized viewing or modification of project resources, potentially disrupting chaos engineering experiments.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting non-critical resources.

🌐 Internet-Facing: MEDIUM - Remote exploitation is possible, but requires specific knowledge of the LitmusChaos deployment.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain unauthorized access to project resources.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit details have been publicly disclosed but no proof-of-concept code is confirmed. Attack requires understanding of LitmusChaos project structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.20.0 or later (assumed - check vendor documentation)

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Check current LitmusChaos version. 2. Upgrade to version 3.20.0 or later. 3. Verify the fix by testing projectID functionality.

🔧 Temporary Workarounds

Restrict network access

all

Limit access to LitmusChaos API endpoints to trusted networks only

Use network firewall rules or Kubernetes NetworkPolicies to restrict access

Implement API authentication

all

Ensure strong authentication is required for all API calls

Configure LitmusChaos authentication settings appropriately

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate LitmusChaos from untrusted networks
  • Monitor API logs for unusual projectID manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running LitmusChaos version 3.19.0 or earlier

Check Version:

kubectl get deployment -n litmus | grep litmus

Verify Fix Applied:

Verify installation of version 3.20.0 or later and test projectID functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual projectID values in API requests
  • Failed authentication attempts with projectID manipulation

Network Indicators:

  • Unusual API calls to project-related endpoints from unexpected sources

SIEM Query:

source="litmus" AND (projectID OR "project ID") AND status!=200

📊 Metadata

CVE ID: CVE-2025-8793
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-99
EPSS Score: 0.04% exploit probability (10.8th percentile)
Published: August 10, 2025
Last Updated: September 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8793, you might also want to check these:

CVE-2025-43491 9.8

A vulnerability in Poly Lens Desktop for Windows allows local attackers to modify filesystem permiss...

Same vulnerability type (CWE-99)
CVE-2025-0756 9.1

This vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to injec...

Same vulnerability type (CWE-99)
CVE-2024-57971 9.1

This vulnerability in Knowage Server allows attackers to perform JNDI injection attacks by manipulat...

Same vulnerability type (CWE-99)