Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-59359
CVE-2025-59359:
vulnerability analysis and mitigation
Overview
The cleanTcs mutation in Chaos Controller Manager (CVE-2025-59359) is a critical severity vulnerability (CVSS 9.8) discovered in September 2025. This vulnerability affects the Chaos-Mesh platform, a Cloud Native Computing Foundation incubating project, and specifically impacts versions prior to 2.7.3. The vulnerability is part of a group of vulnerabilities collectively named 'Chaotic Deputy' (JFrog Blog).
Technical details
The vulnerability is an OS command injection flaw in the cleanTcs mutation of the Chaos Controller Manager. The issue stems from user input being directly concatenated into the 'cmd' parameter which is then passed to the ExecBypass method for command execution on the desired pod. This implementation allows attackers to inject arbitrary shell commands. The vulnerability has received a CVSS v3.1 score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD).
Impact
When exploited in conjunction with CVE-2025-59358, this vulnerability allows unauthenticated in-cluster attackers to perform remote code execution across the Kubernetes cluster. Attackers can execute arbitrary commands on any pod in the cluster, potentially leading to complete cluster takeover. This includes the ability to steal privileged service account tokens and execute the platform's native Fault Injections (JFrog Blog).
Mitigation and workarounds
Users are strongly recommended to upgrade to Chaos-Mesh version 2.7.3 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, a workaround is available by re-deploying the Helm chart with the chaosctl tool and port disabled using the command: 'helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false' (JFrog Blog).
Community reactions
The vulnerability was responsibly disclosed by JFrog Security Research to the Chaos-Mesh development team on May 6, 2025. The Chaos-Mesh team responded promptly by releasing version 2.7.3 on August 21, 2025, which included a short-term fix by disabling the CtrlServer by default. The vulnerability was publicly disclosed on September 15, 2025, followed by detailed technical analysis from JFrog Security Research (JFrog Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management