Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-59358
CVE-2025-59358:
vulnerability analysis and mitigation
Overview
The Chaos Controller Manager in Chaos Mesh contains a critical vulnerability (CVE-2025-59358) discovered in September 2025. This vulnerability exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod. The vulnerability affects Chaos Mesh versions prior to 2.7.3 and has been assigned a CVSS score of 7.5 (High) (JFrog Blog, NVD).
Technical details
The vulnerability stems from a debugging tool that is activated by default on the Controller, exposing an unauthenticated GraphQL server. The '/query' endpoint lacks authentication enforcement, allowing any attacker with cluster network access to communicate with the GraphQL server. The vulnerability is tracked as CWE-306 (Missing Authentication for Critical Function) and enables attackers to initiate fault injections across the Kubernetes cluster at will (JFrog Blog).
Impact
The vulnerability leads to cluster-wide denial of service capabilities. Attackers with in-cluster access can execute the chaos platform's native Fault Injections, including shutting down pods and interrupting network communications. This access allows attackers to perform malicious actions such as shutting down critical system pods, including the API server pod, resulting in cluster-wide service disruption (JFrog Blog, Hacker News).
Mitigation and workarounds
Users are advised to upgrade Chaos Mesh to version 2.7.3 or later as soon as possible. If immediate upgrading is not possible, a workaround is available by re-deploying the Helm chart and disabling the chaosctl tool and port using the command: 'helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false' (JFrog Blog).
Community reactions
The vulnerability was responsibly disclosed to the Chaos-Mesh development team on May 6, 2025. The team responded by releasing version 2.7.3 on August 21, 2025, containing a short-term fix where the CtrlServer is not active by default. The security community has emphasized the critical nature of this vulnerability, particularly due to its potential impact on Kubernetes environments (JFrog Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management