CVE-2025-59361: 
vulnerability analysis and mitigation

The cleanIptables mutation in Chaos Controller Manager (CVE-2025-59361) is a critical vulnerability discovered in September 2025. This vulnerability affects the Chaos Mesh platform, specifically the Chaos Controller Manager component. The issue was first reported by JFrog and received a CVSS v3.1 score of 9.8 (Critical) (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) in the cleanIptables mutation functionality of the Chaos Controller Manager. When combined with CVE-2025-59358, it enables unauthenticated in-cluster attackers to perform remote code execution across the cluster. The severity is rated as Critical with a CVSS v3.1 Base Score of 9.8, indicating the highest level of risk (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated in-cluster attackers to achieve remote code execution capabilities across the entire Kubernetes cluster. This level of access could potentially lead to complete cluster compromise, data breaches, and service disruptions (NVD).

As a mitigation measure, the chaosctl server has been disabled by default to reduce potentially unsafe queries. This change was implemented through a pull request that updates the enableCtrlServer setting to false in the values configuration (GitHub PR).