A high-severity vulnerability has been identified in the Chaos Mesh component for Kubernetes. The vulnerability exposes an unauthenticated debugging server that allows any actor with network access within the cluster to terminate arbitrary processes in any pod, potentially leading to a complete, cluster-wide denial of service for all hosted applications.

The Chaos Controller Manager, a core component of the Chaos Mesh platform, incorrectly exposes a GraphQL debugging endpoint to the internal Kubernetes cluster network without requiring any authentication. An attacker who has already compromised a pod or otherwise gained network access within the cluster can send specially crafted GraphQL API requests to this endpoint. The exposed API includes a function to kill processes by their process ID (PID) inside any specified pod, which an attacker can leverage to systematically terminate critical application and system processes, resulting in a widespread denial of service.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation would result in a cluster-wide denial of service, rendering all applications and services hosted on the Kubernetes cluster unavailable. The direct business impact includes potential revenue loss, disruption of critical business operations, violation of service level agreements (SLAs), and significant damage to customer trust and brand reputation. The ability for an attacker with a low-privileged foothold to disable an entire production environment represents a critical risk to operational continuity.

Immediate Action: Organizations must apply the security updates provided by the vendor to the Chaos Mesh installation immediately. After patching, administrators should review access logs for the Chaos Controller Manager and Kubernetes audit logs for any signs of anomalous activity or potential exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Implement monitoring and alerting for unusual network traffic directed at the Chaos Controller Manager pod(s), specifically targeting the GraphQL port. Monitor Kubernetes pods for unexpected process terminations or restarts that do not correlate with legitimate deployment or scaling activities. SIEM rules should be configured to detect multiple, rapid pod failures across different nodes, which could indicate an exploitation attempt.

Compensating Controls: If immediate patching is not feasible, implement strict Kubernetes Network Policies to restrict all ingress traffic to the Chaos Controller Manager pod, only allowing connections from trusted control plane components. This will isolate the vulnerable endpoint and prevent compromised pods within the cluster from being able to reach it.

Public Exploit Available: false

Due to the high severity (CVSS 7.5) and the critical impact of a cluster-wide denial of service, this vulnerability requires immediate attention. We strongly recommend that all organizations using Chaos Mesh within their Kubernetes environments prioritize the deployment of the vendor-supplied patch. While this vulnerability is not currently listed on the CISA KEV list, its severe impact makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above, particularly the use of restrictive Network Policies, must be implemented as a critical interim measure to mitigate risk.