The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

Affected Packages

Go github.com/chaos-mesh/chaos-mesh

Affected versions: 0 (fixed in 2.7.3)

Related CVEs

CVE-2025-59361

Key Information

GHSA ID

GHSA-2gcv-3qpf-c5qr

Published

September 15, 2025 12:31 PM

Last Modified

September 15, 2025 8:51 PM

CVSS Score

9.0 /10

Primary Ecosystem

Primary Package

github.com/chaos-mesh/chaos-mesh

GitHub Reviewed

✓ Yes

Dataset

Last updated: October 5, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.