Aggregates CVE and security vulnerability intelligence across all chaos-mesh-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk denial of service and vendor risk command injection; exposure may include vendor impact application crash in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-59361 | The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | [email protected] | 9.8 | 1.52% | 2025-09-15 | 2025-10-14 |
| CVE-2025-59360 | The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | [email protected] | 9.8 | 2.65% | 2025-09-15 | 2025-10-14 |
| CVE-2025-59359 | The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | [email protected] | 9.8 | 2.07% | 2025-09-15 | 2025-10-14 |
| CVE-2025-59358 | The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | [email protected] | 7.5 | 0.39% | 2025-09-15 | 2025-10-14 |
| CVE-2024-36538 | Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | [email protected] | 8.8 | 0.10% | 2024-07-24 | 2025-10-14 |