Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-59360
CVE-2025-59360:
vulnerability analysis and mitigation
Overview
The killProcesses mutation in Chaos Controller Manager (CVE-2025-59360) is a critical vulnerability discovered in September 2025. This vulnerability allows OS command injection in the Chaos Mesh platform, a popular Chaos Engineering platform. When combined with CVE-2025-59358, it enables unauthenticated in-cluster attackers to perform remote code execution across the Kubernetes cluster. The vulnerability affects Chaos Mesh versions earlier than 2.7.3, including implementations in managed services like Azure Chaos Studio (JFrog Blog).
Technical details
The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from the killProcesses mutation in the Chaos Controller Manager where user input is directly concatenated into the 'cmd' parameter, which is then passed to the ExecBypass method for command execution on the target pod. This implementation allows attackers to inject arbitrary shell commands (JFrog Blog).
Impact
The vulnerability enables attackers with in-cluster access to execute arbitrary commands on any pod in the cluster, even from an unprivileged pod. This can lead to cluster-wide privilege escalation, service account token theft, and complete cluster takeover. Attackers can perform actions such as shutting down pods, disrupting network communications, and stealing privileged service account tokens (JFrog Blog, Hacker News).
Mitigation and workarounds
Users are strongly recommended to upgrade to Chaos Mesh version 2.7.3 or later, which contains the fix. If immediate upgrading is not possible, a workaround is available by re-deploying the Helm chart with the chaosctl tool and port disabled using the command: 'helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false' (JFrog Blog).
Community reactions
The vulnerability was responsibly disclosed to the Chaos-Mesh development team on May 6, 2025. The team responded by releasing version 2.7.3 on August 21, 2025, which included a short-term fix by disabling the CtrlServer by default. The security community has emphasized the critical nature of this vulnerability, particularly due to its potential impact on Kubernetes environments (JFrog Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management