The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.

Affected Packages

Go github.com/chaos-mesh/chaos-mesh

Affected versions: 0 (fixed in 2.7.3)

Related CVEs

CVE-2025-59358

Key Information

GHSA ID

GHSA-2gg8-85m5-8r2p

Published

September 15, 2025 12:31 PM

Last Modified

September 15, 2025 9:06 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/chaos-mesh/chaos-mesh

GitHub Reviewed

✓ Yes

Dataset

Last updated: October 5, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.