CVE-2025-59360 Overview
CVE-2025-59360 is a critical OS command injection vulnerability affecting the killProcesses mutation in the Chaos Controller Manager component of Chaos Mesh. This vulnerability allows attackers to inject arbitrary operating system commands through improperly sanitized input. When combined with CVE-2025-59358, this flaw enables unauthenticated in-cluster attackers to achieve remote code execution across Kubernetes clusters, potentially leading to complete cluster compromise.
Critical Impact
Unauthenticated attackers within the cluster network can exploit this command injection vulnerability to execute arbitrary commands, potentially leading to full Kubernetes cluster takeover when chained with CVE-2025-59358.
Affected Products
- Chaos Mesh (chaos-mesh:chaos_mesh)
- Chaos Controller Manager component
- Kubernetes deployments utilizing Chaos Mesh for chaos engineering
Discovery Timeline
- 2025-09-15 - CVE-2025-59360 published to NVD
- 2025-10-14 - Last updated in NVD database
Technical Details for CVE-2025-59360
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection), a severe class of security flaws where user-controlled input is passed unsanitized to operating system command execution functions. The killProcesses mutation endpoint in Chaos Controller Manager fails to properly validate and sanitize process identifiers or related parameters before incorporating them into system commands.
Chaos Mesh is a popular chaos engineering platform for Kubernetes that allows operators to simulate various failure scenarios. The killProcesses mutation is designed to terminate processes as part of chaos experiments. However, the lack of input validation on this endpoint creates an opportunity for attackers to inject malicious command sequences that execute with the privileges of the Chaos Controller Manager.
The network-accessible nature of this vulnerability means that any entity with network access to the affected service can attempt exploitation without requiring any authentication or user interaction. This makes the vulnerability particularly dangerous in shared or multi-tenant Kubernetes environments.
Root Cause
The root cause of CVE-2025-59360 lies in insufficient input sanitization within the killProcesses mutation handler. The component directly incorporates user-supplied input into shell commands without proper escaping or validation. This allows attackers to break out of the intended command context and inject additional commands using shell metacharacters such as semicolons, pipes, backticks, or command substitution syntax.
The absence of parameterized command execution or an allowlist-based validation approach enables arbitrary command injection through specially crafted input values.
Attack Vector
The attack vector for CVE-2025-59360 is network-based, requiring the attacker to have network access to the Chaos Controller Manager service within the Kubernetes cluster. The exploitation flow typically involves:
- An attacker gains network access to the cluster (either as an internal actor or through another vulnerability such as CVE-2025-59358)
- The attacker crafts a malicious request to the killProcesses mutation endpoint
- The malicious payload contains shell metacharacters and injected commands
- The vulnerable component executes the injected commands with its elevated privileges
- The attacker achieves remote code execution on the node running the controller
The vulnerability requires no authentication and no user interaction, making it highly exploitable in environments where Chaos Mesh is deployed.
Detection Methods for CVE-2025-59360
Indicators of Compromise
- Unusual process termination patterns or unexpected killProcesses mutation requests in Chaos Mesh logs
- Suspicious shell command execution originating from the Chaos Controller Manager process
- Unexpected network connections or data exfiltration attempts from pods running Chaos Mesh components
- Anomalous resource creation, privilege escalation attempts, or RBAC modifications within the cluster
Detection Strategies
- Monitor Chaos Controller Manager logs for malformed or suspicious killProcesses requests containing shell metacharacters
- Implement runtime security monitoring to detect unexpected command execution from Chaos Mesh containers
- Deploy Kubernetes audit logging to track API calls to Chaos Mesh Custom Resources
- Use network policy monitoring to identify unusual traffic patterns from Chaos Mesh pods
Monitoring Recommendations
- Enable verbose logging on Chaos Controller Manager and forward logs to a SIEM for analysis
- Configure alerts for any process execution anomalies from chaos-mesh namespace pods
- Implement behavioral analysis to baseline normal Chaos Mesh operations and detect deviations
- Monitor for lateral movement indicators following any suspected exploitation attempts
How to Mitigate CVE-2025-59360
Immediate Actions Required
- Review the GitHub Pull Request #4702 for the official fix and apply the patch immediately
- Restrict network access to Chaos Controller Manager using Kubernetes NetworkPolicies
- Audit cluster access and ensure principle of least privilege is enforced for all service accounts
- If patching is not immediately possible, consider temporarily disabling Chaos Mesh until the update can be applied
Patch Information
The Chaos Mesh maintainers have addressed this vulnerability in Pull Request #4702. Organizations should update to the patched version as soon as possible. Review the JFrog security research blog for additional technical details on this vulnerability and related issues.
Workarounds
- Implement strict NetworkPolicies to limit which pods can communicate with Chaos Controller Manager
- Use admission controllers to validate and sanitize input to Chaos Mesh resources
- Deploy runtime security tools to detect and block command injection attempts
- Consider isolating Chaos Mesh deployments to dedicated namespaces with restricted access
# Example NetworkPolicy to restrict access to Chaos Controller Manager
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-chaos-controller
namespace: chaos-mesh
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: controller-manager
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
chaos-mesh-access: "true"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
