41 matches found
OS Command Injection
github.com/chaos-mesh/chaos-mesh is vulnerable to OS command Injection. The vulnerability is due to unsanitized input handling in the cleanTcs mutation due to user-controlled fields being passed to operating-system command execution without proper validation. An attacker can use this to perform...
OS Command Injection
github.com/chaos-mesh/chaos-mesh is vulnerable to OS command injection. The vulnerability is due to improper input validation in the cleanIptables mutation, which allows an unauthenticated in-cluster attacker to execute arbitrary commands and achieve remote code execution across the cluster...
Improper Authentication Exposure
github.com/chaos-mesh/chaos-mesh is vulnerable to improper authentication exposure. The vulnerability is due to the Chaos Controller Manager exposing an unauthenticated GraphQL debugging server to the entire Kubernetes cluster, which allows an attacker to kill arbitrary processes in any pod...
EUVD-2025-29175
Malicious code in bioql PyPI...
SUSE CVE-2025-59358
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...
GO-2025-3951 Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function in github.com/chaos-mesh/chaos-mesh. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positiv...
GO-2025-3952 Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
GO-2025-3954 Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
GO-2025-3949 Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh
Chaos Controller Manager is vulnerable to OS command injection in github.com/chaos-mesh/chaos-mesh. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
CVE-2025-59358
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...
Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover
Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the...
GHSA-2GG8-85M5-8R2P Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...
CVE-2025-59358
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...
CVE-2025-59358
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...
CVE-2025-59361 OS command injection in Chaos Mesh via the cleanIptables mutation
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...
CVE-2025-59361 OS command injection in Chaos Mesh via the cleanIptables mutation
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...
CVE-2025-59361
The provided connected sources confirm CVE-2025-59361 pertains to Chaos Mesh’s Chaos Controller Manager, specifically an OS command injection in the mutation path (cleanIptables). The related entry CVE-2025-59358 describes an unauthenticated exposure via a GraphQL debugging surface that can kill ...
CVE-2025-59360 OS command injection in Chaos Mesh via the killProcesses mutation
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...
CVE-2025-59360 OS command injection in Chaos Mesh via the killProcesses mutation
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...
CVE-2025-59360
CVE-2025-59360 concerns Chaos Mesh’s Chaos Controller Manager. The killProcesses mutation (and related mutations like cleanIptables/cleanTcs) is reported vulnerable to OS command injection, enabling unauthenticated in-cluster attackers to perform remote code execution across the Kubernetes cluste...