CVE-2025-8796 – This vulnerability in LitmusChaos Litmus allows... (How to Fix)

Q: What is the severity of CVE-2025-8796?

CVE-2025-8796 has a CVSS score of 5.4 (MEDIUM). This vulnerability in LitmusChaos Litmus allows unauthorized deletion of projects due to missing authorization checks in the delete project endpoint. Attackers can remotely delete projects without proper permissions. Affects LitmusChaos Litmus users up to version 3.19.0.

📋 TL;DR

This vulnerability in LitmusChaos Litmus allows unauthorized deletion of projects due to missing authorization checks in the delete project endpoint. Attackers can remotely delete projects without proper permissions. Affects LitmusChaos Litmus users up to version 3.19.0.

💻 Affected Systems

Products:

LitmusChaos Litmus

Versions: up to 3.19.0

Operating Systems: All platforms running LitmusChaos

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /auth/delete_project/ endpoint in the Delete Request Handler component. All deployments with default configurations are vulnerable.

📦 What is this software?

Litmus by Litmuschaos

View all CVEs affecting Litmus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors delete critical chaos engineering projects, disrupting testing environments and potentially affecting production system reliability.

🟠

Likely Case

Unauthorized project deletion causing loss of chaos experiment configurations and disruption to testing workflows.

🟢

If Mitigated

Minimal impact with proper network segmentation and authentication controls limiting access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to disrupt chaos testing operations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in the referenced GitHub repository. Attack requires some level of access but bypasses authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.0 or later

Vendor Advisory: Not specified in provided references

Restart Required: No

Instructions:

1. Upgrade LitmusChaos Litmus to version 3.20.0 or later. 2. Verify the fix by testing project deletion with unauthorized users. 3. Review and update any custom configurations.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the LitmusChaos API endpoints using firewall rules or network policies

API Gateway Authentication

all

Implement additional authentication layer at API gateway level for all /auth/ endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate LitmusChaos deployment from untrusted networks
Enable detailed audit logging for all project deletion attempts and monitor for unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check if LitmusChaos version is 3.19.0 or earlier. Attempt unauthorized project deletion via /auth/delete_project/ endpoint.

Check Version:

kubectl get deployment litmus -n litmus -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'

Verify Fix Applied:

After upgrading to 3.20.0+, verify that unauthorized users cannot delete projects via the affected endpoint.

📡 Detection & Monitoring

Log Indicators:

Unauthorized DELETE requests to /auth/delete_project/
Failed authentication attempts followed by successful project deletions
Multiple project deletion requests from single user in short timeframe

Network Indicators:

Unusual DELETE request patterns to authentication endpoints
Traffic to /auth/delete_project/ from unexpected IP ranges

SIEM Query:

source="litmus-logs" AND (uri_path="/auth/delete_project/" AND http_method="DELETE") AND (NOT user_role="admin" OR auth_status="failed")

📊 Metadata

CVE ID: CVE-2025-8796

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: August 10, 2025

Last Updated: September 2, 2025

🔗 References

https://github.com/MaiqueSilva/VulnDB/blob/main/readme06.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.319324 Permissions Required,VDB Entry
https://vuldb.com/?id.319324 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.625989 Third Party Advisory,VDB Entry
https://github.com/MaiqueSilva/VulnDB/blob/main/readme06.md Exploit,Third Party Advisory
https://vuldb.com/?submit.625989 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8796, you might also want to check these: