CVE-2025-8794 is an authorization bypass vulnerability identified in the LitmusChaos Litmus platform, affecting all versions up to 3.19.0. The vulnerability resides in the LocalStorage Handler component, specifically involving the manipulation of the 'projectID' argument. By tampering with this argument, an attacker with local access can bypass authorization controls, potentially gaining unauthorized access to project-related resources or functionalities that should otherwise be restricted. The attack vector requires local access and low privileges, and no user interaction is necessary to exploit the flaw. The vulnerability has been publicly disclosed, but no patch or vendor response has been provided to date. The CVSS v4.0 score is 4.8, indicating a medium severity level, with the vector highlighting local attack vector (AV:L), low attack complexity (AC:L), no authentication required (AT:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests that while the exploit is feasible with local access, the overall impact on system security is limited but non-negligible, especially in environments where local access is not tightly controlled. The lack of vendor response and patch availability increases the risk for organizations relying on LitmusChaos for chaos engineering and resilience testing, as attackers could leverage this flaw to escalate privileges or access unauthorized project data within the platform.

For European organizations, the impact of this vulnerability depends largely on the deployment context of LitmusChaos. Organizations using LitmusChaos for chaos engineering in development, testing, or production environments may face unauthorized access risks if internal access controls are weak. An attacker with local access could bypass authorization to manipulate or view project configurations, potentially disrupting chaos experiments or gaining insights into system resilience strategies. This could lead to indirect impacts on system availability or integrity if chaos experiments are tampered with maliciously. Additionally, unauthorized access to project data could expose sensitive operational details. Although the vulnerability requires local access, insider threats or compromised internal systems could exploit this flaw. Given the increasing adoption of chaos engineering in European tech sectors, especially in cloud-native and DevOps environments, this vulnerability could undermine trust in resilience testing processes and introduce risks to critical infrastructure or services relying on LitmusChaos. The medium severity rating suggests the threat is moderate but should not be ignored, particularly in regulated industries where data integrity and access controls are paramount.

Since no official patch or vendor response is available, European organizations should implement compensating controls to mitigate the risk. First, restrict local access to systems running LitmusChaos to trusted personnel only, employing strict access control policies and network segmentation to limit exposure. Use host-based intrusion detection and monitoring to detect unusual access or manipulation of the LocalStorage Handler component or projectID parameters. Employ role-based access controls and audit logging within LitmusChaos environments to track and limit unauthorized actions. Consider running LitmusChaos in isolated or containerized environments with minimal privileges to reduce the attack surface. Regularly review and harden system configurations, and apply OS-level security best practices to prevent privilege escalation that could enable local access exploitation. Finally, monitor threat intelligence sources for any emerging exploits or patches related to CVE-2025-8794 and plan for rapid deployment once a fix becomes available.