The Gaming Boardroom

Critical Bugs in Chaos Mesh Enable Cluster Takeover

Steve Tyler Leave a comment

Critical Bugs in Chaos Mesh Enable Cluster Takeover

Summary

Researchers at JFrog discovered four vulnerabilities in the Chaos Mesh chaos-engineering platform that can be chained to take over Kubernetes clusters. Dubbed “Chaotic Deputy,” three of the flaws (CVE-2025-59360, CVE-2025-59361, CVE-2025-59359) are critical command-injection issues (CVSS 9.8) allowing execution of arbitrary OS commands on pods; the fourth (CVE-2025-59358) can trigger a cluster-wide denial-of-service (CVSS 7.5). The bugs stem from unsafe handling of user input in Chaos Controller Manager components used to schedule and run fault injections. Patches were released in Chaos Mesh 2.7.3 on 21 August; JFrog recommends immediate upgrading or applying available workarounds.

Key Points

  • JFrog found four vulnerabilities in Chaos Mesh collectively named “Chaotic Deputy.”
  • Three are critical command-injection flaws enabling arbitrary OS commands in pods and potential cluster takeover (CVSS 9.8).
  • One vulnerability can cause denial-of-service across the cluster (CVSS 7.5).
  • Flaws relate to unsafe input sanitisation in the Chaos Controller Manager and cleanTcs fault-injection code.
  • Attackers only need prior access to a pod — a common situation — to exploit these bugs and escalate privileges via service tokens.
  • Chaos Mesh 2.7.3 fixes the issues; organisations should upgrade immediately or apply JFrog’s workaround if they cannot upgrade straight away.
  • Chaos engineering platforms by design often have broad cluster privileges, making them high-value targets for attackers.

Content summary

Chaos Mesh is an open-source CNCF-incubating chaos-engineering tool used to inject failures into Kubernetes environments to test resilience. JFrog audited the Chaos Controller Manager — the component orchestrating experiments — and identified multiple controllers and fault-injection paths that did not properly sanitise user input. This permitted command injection and access to Kubernetes service tokens across pods. With those tokens an attacker running in an unprivileged pod can escalate to full cluster control. JFrog reported the issues in May and Chaos Mesh published a patched release on 21 August. The vendor also provides a mitigation path for users who cannot patch immediately.

JFrog notes the attractiveness of chaos platforms to attackers because they intentionally require broad privileges to perform fault injections. The company is also investigating similar issues in other chaos tools and will disclose findings following coordinated disclosure processes. The recommended mitigations include upgrading, tightening security on WAN-facing pods, applying SCA/SAST, and ensuring chaos tools do not allow arbitrary code execution on pods — limiting fault injection to DoS-style operations where possible.

Context and relevance

This is a high-impact security story for any organisation running Kubernetes and using chaos engineering tools. Chaos platforms are increasingly used in production to validate resilience, but their powerful APIs and cluster-wide permissions turn them into an attractive attack surface. The Chaotic Deputy findings highlight the tension between giving test tools enough privilege to do useful work and limiting blast radius to reduce risk. The issue also underscores the broader trend of attackers exploiting a foothold in WAN-facing pods to pivot through clusters.

Why should I read this?

If you run Kubernetes or use chaos engineering tooling — stop and check this now. The bugs let someone who already has a tiny foothold inside your cluster turn that into full control. Patch Chaos Mesh to 2.7.3 or follow JFrog’s workaround, lock down WAN-facing pods, and re-evaluate whether your chaos tool needs permission to run arbitrary code on pods. We’ve done the heavy lifting here so you can act fast.

Author style

Punchy: this isn’t a theoretical vulnerability — it’s practical and exploitable. If Chaos Mesh is in your environment, treat the patch as urgent and assume attackers will try to weaponise these flaws quickly.

Source

Source: https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-takeover

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.