Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Chaos Mesh GraphQL command injection and unauthenticated exposure (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

Researchers disclosed CVE-2025-59358 through CVE-2025-59361 in Chaos Mesh, exposing Kubernetes clusters to remote code execution and cluster takeover. The flaws affect the Chaos Controller Manager, which exposed an unauthenticated GraphQL debugging server and vulnerable mutation handlers. The issue set, named Chaotic Deputy, can be chained by an attacker with minimal in-cluster network access. Chaos Mesh 2.7.3 was released on August 21 to address the bugs after May 6, 2025 responsible disclosure.

Timeline

  1. 16.09.2025 19:23 1 articles · 8mo ago

    Responsible disclosure of Chaotic Deputy in Chaos Mesh

    Initial Disclosure

    Chaos Mesh maintainers received responsible disclosure of Chaotic Deputy, a set of critical GraphQL vulnerabilities in the Chaos Controller Manager that could let an attacker with minimal in-cluster network access chain CVE-2025-59358 through CVE-2025-59361 for remote code execution, denial of service, and Kubernetes cluster takeover.

    Show sources
    Open in new tab
  2. 16.09.2025 19:23 1 articles · 8mo ago

    Chaos Mesh 2.7.3 closes Chaotic Deputy flaws

    Mitigation Patch Update

    Chaos Mesh version 2.7.3 addressed the Chaotic Deputy weaknesses in the Chaos Controller Manager and Chaos Daemon, including the unauthenticated GraphQL exposure in CVE-2025-59358 and the command injection flaws in CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361. Operators were advised to update installations and, if immediate patching was not possible, restrict network traffic to the Chaos Mesh daemon and API server and avoid open or loosely secured environments.

    Show sources
    Open in new tab
  3. 16.09.2025 19:23 2 articles · 8mo ago

    Public technical disclosure of Chaotic Deputy vulnerabilities

    Technical Analysis Update

    Researchers publicly disclosed Chaotic Deputy in Chaos Mesh, describing how insufficient authentication in the Chaos Controller Manager's GraphQL server let an attacker with minimal in-cluster network access chain CVE-2025-59358 through CVE-2025-59361 to run arbitrary commands on the Chaos Daemon, steal privileged service account tokens, disrupt Kubernetes pods and network communications, and take over clusters.

    Show sources
    Open in new tab