“Chaotic Deputy” vulnerabilities in Chaos Mesh (CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 and CVE-2025-59361) are highly exploitable, enabling attackers to take over entire clusters
The JFrog Security Research team has uncovered and disclosed multiple critical vulnerabilities, collectively named “Chaotic Deputy,” in Chaos Mesh, an engineering platform widely adopted in Kubernetes environments.
The four identified vulnerabilities, rated with critical severity (CVSS 9.8), can easily be exploited by attackers with in-cluster access, putting organisations using Chaos Mesh, including those leveraging managed infrastructure like Azure Chaos Studio, at immediate risk. Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform’s fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens.
“Platforms such as Chaos Mesh give, by design, complete control of the Kubernetes cluster to the platform,” said Shachar Menashe, VP Security Research at JFrog. “This flexibility can become a critical risk when vulnerabilities such as Chaotic Deputy are discovered. We recommend that Chaos Mesh users upgrade swiftly since these vulnerabilities are extremely easy to exploit and lead to total cluster takeover. We also want to offer our thanks to the Chaos Mesh maintainers for their rapid response and collaboration in addressing these critical security issues.”
The vulnerabilities stemmed from insufficient authentication mechanisms within the Chaos Controller Manager’s GraphQL server, enabling unauthenticated attackers to perform devastating commands, including arbitrary OS command injections and denial-of-service attacks, culminating in complete cluster takeover. Exploitation enables attackers to execute arbitrary code across any pod within the cluster, even when Chaos Mesh runs in its default configuration, allowing them to potentially exfiltrate sensitive data, disrupt critical services, or move laterally across the cluster to escalate privileges.
Chaos Mesh users can run the following shell command to check their vulnerability status:
kubectl get pods -A –selector app.kubernetes.io/name=chaos-mesh -o=jsonpath=“{range .items[*]}{.metadata.name}{‘: ‘}{range .spec.containers[*]}{.image}{‘, ‘}{end}{‘\n‘}{end}“
If the returned Chaos Mesh image version is earlier than 2.7.3, the suggested remediation actions are recommended:
-
Upgrade immediately to version 2.7.3 or later.
-
If you cannot upgrade right away, restrict network traffic to the Chaos Mesh daemon and API server to reduce exposure.
-
Avoid running Chaos Mesh in open or loosely secured environments, especially those accessible to potentially compromised workloads.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
