CVE-2025-59361: 
Análisis y mitigación de vulnerabilidades

The cleanIptables mutation in Chaos Controller Manager (CVE-2025-59361) is a critical vulnerability with a CVSS score of 9.8. Discovered in September 2025, this vulnerability affects Chaos-Mesh versions earlier than 2.7.3. The vulnerability allows unauthenticated in-cluster attackers to perform remote code execution across the Kubernetes cluster through OS command injection (JFrog Blog, Hacker News).

The vulnerability stems from unsafe command construction in the cleanIptables GraphQL mutation where user input is directly concatenated into the command parameter without proper sanitization. The resolver function for cleanIptables concatenates user-provided chain values directly into an iptables command, which is then executed via the ExecBypass method. This allows attackers to inject arbitrary shell commands that will be executed on the targeted pod (JFrog Blog).

When exploited, this vulnerability allows attackers with in-cluster network access to execute arbitrary commands on any pod in the cluster, even from an unprivileged pod. Attackers can steal privileged service account tokens, escalate privileges, and potentially achieve complete cluster takeover. The vulnerability can be exploited even in the default configuration of Chaos-Mesh (JFrog Blog, GBHackers).

Users are strongly recommended to upgrade to Chaos-Mesh version 2.7.3 or later, which contains the fix for this vulnerability. For environments where immediate upgrading is not possible, a temporary workaround is available by disabling the chaosctl tool and port using the command: 'helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false' (JFrog Blog).

The vulnerability was responsibly disclosed by JFrog Security Research to the Chaos-Mesh development team on May 6, 2025. The Chaos-Mesh maintainers worked quickly to address the issue, releasing a fixed version on August 21, 2025. The vulnerability has gained significant attention in the cybersecurity community due to its critical severity and potential impact on Kubernetes environments (JFrog Blog).