CVE-2025-59361
Published: 15 September 2025
Summary
CVE-2025-59361 is a critical-severity OS Command Injection (CWE-78) vulnerability in Chaos-Mesh Chaos Mesh. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an OS command injection flaw (CWE-78) in the cleanIptables mutation of Chaos Controller Manager, a component of the Chaos Mesh Kubernetes chaos-engineering platform. It carries a CVSS 3.1 score of 9.8 and is tracked as CVE-2025-59361.
Unauthenticated attackers who already have a foothold inside the cluster can chain this issue with CVE-2025-59358 to inject and execute arbitrary operating-system commands, resulting in remote code execution that spans the entire Kubernetes cluster.
A fix is referenced in the upstream Chaos Mesh pull request 4702. Public analysis from JFrog describes how the two CVEs together enable full cluster takeover and recommends applying the patch or disabling the affected Chaos Controller Manager functionality until it can be updated.
EPSS for the CVE remains flat at 0.0152 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29177
Vulnerability details
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability in Chaos Controller Manager's cleanIptables mutation enables Unix shell command execution (T1059.004), exploitation of the in-cluster GraphQL remote service (T1210), privilege escalation from unprivileged pod access to cluster-wide RCE (T1068), and execution of container administration commands via fault injections and pod manipulations (T1609).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the OS command injection (CWE-78) in cleanIptables by requiring validation and sanitization of all inputs before execution in system commands.
Ensures timely remediation of the specific vulnerability through identification, testing, and deployment of patches like Chaos Mesh PR #4702.
Limits the scope and impact of remote code execution across the cluster by enforcing least privilege on the Chaos Controller Manager process.