Cyber Resilience

CVE-2025-59361

CriticalPublic PoCRCE

Published: 15 September 2025

Published
15 September 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0152 81.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59361 is a critical-severity OS Command Injection (CWE-78) vulnerability in Chaos-Mesh Chaos Mesh. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an OS command injection flaw (CWE-78) in the cleanIptables mutation of Chaos Controller Manager, a component of the Chaos Mesh Kubernetes chaos-engineering platform. It carries a CVSS 3.1 score of 9.8 and is tracked as CVE-2025-59361.

Unauthenticated attackers who already have a foothold inside the cluster can chain this issue with CVE-2025-59358 to inject and execute arbitrary operating-system commands, resulting in remote code execution that spans the entire Kubernetes cluster.

A fix is referenced in the upstream Chaos Mesh pull request 4702. Public analysis from JFrog describes how the two CVEs together enable full cluster takeover and recommends applying the patch or disabling the affected Chaos Controller Manager functionality until it can be updated.

EPSS for the CVE remains flat at 0.0152 with no observed rise after disclosure.

EU & UK References

Vulnerability details

The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1609 Container Administration Command Execution
Adversaries may abuse a container administration service to execute commands within a container.
Why these techniques?

OS command injection vulnerability in Chaos Controller Manager's cleanIptables mutation enables Unix shell command execution (T1059.004), exploitation of the in-cluster GraphQL remote service (T1210), privilege escalation from unprivileged pod access to cluster-wide RCE (T1068), and execution of container administration commands via fault injections and pod manipulations (T1609).

CVEs Like This One

CVE-2025-59359Same product: Chaos-Mesh Chaos Mesh
CVE-2025-59360Same product: Chaos-Mesh Chaos Mesh
CVE-2021-47745Shared CWE-78
CVE-2026-34005Shared CWE-78
CVE-2021-47747Shared CWE-78
CVE-2026-34792Shared CWE-78
CVE-2026-6644Shared CWE-78
CVE-2025-66211Shared CWE-78
CVE-2017-20215Shared CWE-78
CVE-2025-64120Shared CWE-78

Affected Assets

chaos-mesh
chaos mesh
≤ 2.7.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the OS command injection (CWE-78) in cleanIptables by requiring validation and sanitization of all inputs before execution in system commands.

prevent

Ensures timely remediation of the specific vulnerability through identification, testing, and deployment of patches like Chaos Mesh PR #4702.

prevent

Limits the scope and impact of remote code execution across the cluster by enforcing least privilege on the Chaos Controller Manager process.

References