Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the...

ai.ancf.lmos-router:lmos-router-hybrid-spring-boot-starter (=0.28.0), ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0) +18121 more potentially affected by CVE-2025-41249 via org.springframework:spring-core (>=6.0.0 <=6.1.21)

org.springframework:spring-core MAVEN version =6.0.0, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.12.1 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-linux-x8664 =0.2...

Malicious code in graphql-sequelize-teselagen (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 61bd0f16d8ac09ad8d170113bc0bc5ed2cbba4f9d406fa9a852cface0b40be37 Any computer that has this package installed or running should be considered fully compromised. All...

GHSA-JJ4J-X5WW-CWH9 Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden

Summary Certain bulk action calls with a beforetransaction hook and no aftertransaction hook, will call the beforetransaction hook before authorization is checked and a Forbidden error is returned, when called as a bulk action. The impact is that a malicious user could cause a beforetransaction t...

Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

CVE-2025-59358 Denial of Service via Unauthorized Access to Chaos Mesh debugging server

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

CVE-2025-59358 Denial of Service via Unauthorized Access to Chaos Mesh debugging server

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

CVE-2025-59358

The CVE-2025-59358 entry is linked to Chaos Mesh: the Chaos Controller Manager exposes a GraphQL debugging server without authentication, reachable across the Kubernetes cluster. This misconfiguration permits an attacker to access an API capable of killing arbitrary processes in any pod, leading ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

PT-2025-37473

Name of the Vulnerable Software and Affected Versions Chaos Mesh versions prior to 2.7.3 Description The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster. This server provides an API that allows attackers to kill...

CVE-2025-43796

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

graphql-playground

It is an offensive tool for GraphQL. This repository contains a proof-of-concept PoC exploit for a vulnerability in the GraphQL Playground, a popular IDE for GraphQL development. The exploit targets an XSS Reflection attack vulnerability in the graphql-playground-html package, which was resolved ...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS in the GraphQL process. An attacker can exhaust system resources by executing queries that return a large number of objects. Details Denial of Service DoS describes a family of attacks, all aimed at making a system...

Denial of Service (DoS)

Overview com.liferay:com.liferay.portal.vulcan.impl is a Liferay Portal Vulcan Implementation Affected versions of this package are vulnerable to Denial of Service DoS in the GraphQL process. An attacker can exhaust system resources by executing queries that return a large number of objects...

GHSA-F3HF-R62C-MFRJ Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

CVE-2025-43796

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

CVE-2025-43796

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

CVE-2025-43796

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...