CVE-2025-8793 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. The vulnerability arises from improper control of resource identifiers, specifically through manipulation of the 'projectID' argument. This flaw allows an attacker to remotely influence resource identifiers without requiring user interaction or elevated privileges beyond low privileges. The vulnerability is classified as problematic due to the potential for unauthorized access or manipulation of resources within the LitmusChaos environment. LitmusChaos is an open-source chaos engineering platform used to test the resilience of cloud-native applications by injecting faults and simulating failures. The improper control of resource identifiers could allow attackers to interfere with chaos experiments or access resources they should not control, potentially disrupting testing workflows or causing unintended side effects. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. The vendor has not responded to early disclosure, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, public disclosure of the exploit details increases the risk of exploitation.

For European organizations using LitmusChaos for chaos engineering and resilience testing, this vulnerability could lead to unauthorized manipulation of chaos experiments or access to project resources. This may result in inaccurate testing outcomes, disruption of development and testing pipelines, and potential exposure of sensitive project data. Since chaos engineering is often integrated into CI/CD pipelines and production-like environments, exploitation could indirectly affect application stability and availability. Organizations relying on LitmusChaos to validate system robustness may face increased operational risks and reduced confidence in their resilience strategies. The medium severity suggests limited direct impact on confidentiality, integrity, or availability, but the risk of unauthorized resource control could have cascading effects in complex cloud-native environments.

Given the lack of vendor response and absence of patches, European organizations should implement the following specific mitigations: 1) Restrict network access to LitmusChaos management interfaces to trusted internal networks only, using network segmentation and firewall rules to limit exposure. 2) Enforce strict access controls and authentication mechanisms around LitmusChaos projects to minimize the risk of unauthorized manipulation of projectID parameters. 3) Monitor and log all API requests involving projectID parameters to detect anomalous or unauthorized access attempts. 4) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious manipulation of resource identifiers. 5) Temporarily avoid upgrading to or using affected LitmusChaos versions until a patch is available, or isolate vulnerable instances from critical environments. 6) Engage with the LitmusChaos community or maintainers to track patch releases and apply updates promptly once available.