Article Details
Scrape Timestamp (UTC): 2025-09-16 16:30:50.752
Source: https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html
Original Article Text
Click to Toggle View
Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover. Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens," JFrog said in a report shared with The Hacker News. Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle. The issues, collectively called Chaotic Deputy, are listed below - An in-cluster attacker, i.e., a threat actor with initial access to the cluster's network, could chain CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, or with CVE-2025-59358 to perform remote code execution across the cluster, even in the default configuration of Chaos Mesh. JFrog said the vulnerabilities stem from insufficient authentication mechanisms within the Chaos Controller Manager's GraphQL server, allowing unauthenticated attackers to run arbitrary commands on the Chaos Daemon, resulting in cluster takeover. Threat actors could then leverage the access to potentially exfiltrate sensitive data, disrupt critical services, or even move laterally across the cluster to escalate privileges. Following responsible disclosure on May 6, 2025, all the identified shortcomings were addressed by Chaos Mesh with the release of version 2.7.3 on August 21. Users are advised to update their installations to the latest version as soon as possible. If immediate patching is not an option, it's recommended to restrict network traffic to the Chaos Mesh daemon and API server, and avoid running Chaos Mesh in open or loosely secured environments.
Daily Brief Summary
Researchers identified multiple critical vulnerabilities in Chaos Mesh, posing a risk of full Kubernetes cluster takeover if exploited by attackers with minimal in-cluster access.
The vulnerabilities, known as Chaotic Deputy, include CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59358, allowing remote code execution across clusters.
Insufficient authentication in the Chaos Controller Manager's GraphQL server enables unauthenticated command execution on the Chaos Daemon.
Exploitation could lead to data exfiltration, service disruption, and lateral movement within the cluster, escalating potential damage.
Chaos Mesh addressed these vulnerabilities with the release of version 2.7.3 on August 21, following responsible disclosure in May 2025.
Users are urged to update to the latest version promptly; if not feasible, restrict network traffic to the Chaos Mesh daemon and API server.
Organizations should avoid deploying Chaos Mesh in open or poorly secured environments to mitigate risks.