CVE-2025-8791 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. The vulnerability arises from improper authorization in the handling of the /auth/list_projects endpoint, specifically through manipulation of the 'role' argument. This flaw allows an attacker to bypass intended access controls and potentially gain unauthorized access to project listings or related resources. The vulnerability can be exploited remotely without requiring user interaction or prior authentication, which increases its risk profile. The CVSS 4.0 base score is 5.3, reflecting a network attack vector with low complexity and no privileges required, but with limited impact on confidentiality, integrity, and availability. Although the vendor was contacted early, no response or patch has been issued, and no known exploits are currently observed in the wild. The vulnerability's exploitation could lead to unauthorized disclosure of project information or unauthorized actions within the LitmusChaos environment, which is a tool used for chaos engineering to test system resilience. Given the nature of chaos engineering platforms, unauthorized access could disrupt testing workflows or leak sensitive operational data.

For European organizations using LitmusChaos Litmus, this vulnerability poses a risk of unauthorized access to project data and potentially manipulation of chaos experiments. This could undermine the integrity of resilience testing processes, leading to inaccurate test results or inadvertent disruption of critical services if chaos experiments are triggered improperly. Organizations in sectors such as finance, healthcare, and critical infrastructure, which rely on chaos engineering for robust system validation, may face operational risks and compliance challenges if sensitive project data is exposed or altered. Additionally, unauthorized access could be leveraged as a foothold for further lateral movement within the network, especially if LitmusChaos is integrated with other internal systems. The lack of vendor response and patch availability increases the window of exposure, necessitating proactive mitigation by affected organizations.

1. Implement strict network segmentation and firewall rules to restrict access to the LitmusChaos management interfaces, especially the /auth/list_projects endpoint, limiting it to trusted administrators and internal networks only. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests manipulating the 'role' parameter. 3. Monitor access logs for unusual or unauthorized attempts to access the /auth/list_projects endpoint, focusing on requests with suspicious role argument values. 4. If possible, temporarily disable or restrict the use of the vulnerable endpoint until a vendor patch or official fix is available. 5. Conduct internal audits of user roles and permissions within LitmusChaos to minimize privileges and enforce the principle of least privilege. 6. Consider deploying runtime application self-protection (RASP) tools to detect and prevent exploitation attempts in real time. 7. Stay alert for vendor updates or community patches and plan for timely application once available. 8. Educate DevOps and security teams about this vulnerability to ensure rapid response to any suspicious activity related to chaos engineering tools.