Chaos Mesh Faces Critical GraphQL Vulnerabilities

Cybersecurity experts have identified critical vulnerabilities in Chaos Mesh, a tool used for testing software resilience by simulating errors. These flaws, collectively termed "Chaotic Deputy," could allow attackers with minimal network access to exploit Chaos Mesh and gain control over Kubernetes systems. The vulnerabilities (CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59358) stem from inadequate security checks in the Chaos Controller Manager's GraphQL server, enabling unauthorized command execution on the Chaos Daemon.
JFrog's report highlights the potential for attackers to disrupt services, steal sensitive data, and escalate their control within the system. Following the discovery, Chaos Mesh addressed these issues in version 2.7.3, released on August 21, 2025. Users are urged to update immediately or, if unable, to restrict network access to the Chaos Mesh components and avoid deploying it in unsecured environments.
Shachar Menashe from JFrog emphasizes the inherent risks of tools like Chaos Mesh, which offer significant control over Kubernetes systems. The report also notes the rapid evolution of application risks and the importance of staying informed to mitigate threats effectively.
Stay secure — stay Wavasec. 🔐