CVE-2025-59360 is a critical OS command injection vulnerability in the Chaos Controller Manager component of Chaos Mesh. The flaw is in the GraphQL killProcesses mutation, which constructs a shell command using attacker-controlled PID input via code described as cmd := fmt.Sprintf("kill %s", strings.Join(pids, " ")). Because the PID list is concatenated into a shell command without proper sanitization or safe argument handling, an attacker can supply crafted input containing shell metacharacters or command separators and cause arbitrary operating system commands to be executed. The resulting command is passed through the execution path used by Chaos Mesh to run commands on target pods/nodes, including execution via Chaos Daemon. In the default deployment context described in the source material, this issue is especially dangerous when chained with CVE-2025-59358, which exposes the GraphQL /query endpoint without authentication to in-cluster attackers.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
enableCtrlServer=false, as cited in the provided content. Additionally, restrict in-cluster network access to the Chaos Controller Manager service, prevent untrusted pods from reaching the GraphQL /query endpoint, and minimize exposure of Chaos Mesh components until patched. Because the issue is materially worsened by missing authentication on the GraphQL server, limiting reachability and disabling the controller server are the most directly supported mitigations in the provided material.Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
One of four serious Chaos Mesh vulnerabilities in the Chaos Controller Manager GraphQL server caused by inadequate authentication, contributing to potential Kubernetes cluster takeover.
A critical OS command injection vulnerability in Chaos-Mesh that allows in-cluster attackers to inject arbitrary shell commands through the killProcesses GraphQL mutation, resulting in arbitrary code execution on targeted pods and possible total cluster compromise.
A critical command injection vulnerability in Chaos Mesh's Chaos Controller Manager killProcesses mutation that can enable arbitrary OS command execution across Kubernetes cluster nodes.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.