CVE-2025-8794 is an authorization bypass vulnerability identified in LitmusChaos Litmus versions up to 3.19.0. The vulnerability resides in the LocalStorage Handler component, specifically involving manipulation of the projectID argument. By tampering with this parameter, an attacker with local access can bypass authorization controls, potentially gaining unauthorized access to project-specific resources or operations within the LitmusChaos environment. The vulnerability does not require user interaction and can be exploited with low complexity, but it does require local access and privileges at least equivalent to a low-level user (PR:L). The CVSS 4.0 vector indicates low attack vector (local), low attack complexity, no privileges required beyond low-level, no user interaction, and low impact on confidentiality, integrity, and availability. The vendor has not responded to the disclosure, and no patches have been released at the time of publication. Although the exploit is publicly disclosed, there are no known exploits actively used in the wild. LitmusChaos is an open-source chaos engineering tool used to test the resilience of cloud-native applications by injecting faults and simulating failures. The LocalStorage Handler is likely responsible for managing persistent state or configuration data related to chaos experiments or projects. Exploiting this vulnerability could allow an attacker to manipulate or access project data without proper authorization, potentially undermining the integrity of chaos experiments or exposing sensitive configuration details.

For European organizations leveraging LitmusChaos for chaos engineering and resilience testing, this vulnerability poses a risk of unauthorized access to project configurations and experiment data. While the impact on core confidentiality, integrity, and availability is rated low to medium, the ability to bypass authorization controls locally could allow malicious insiders or compromised low-privilege users to interfere with chaos experiments. This interference could lead to inaccurate test results, disruption of resilience validation processes, or exposure of sensitive operational data. In regulated industries such as finance, healthcare, or critical infrastructure within Europe, such disruptions could affect compliance with operational resilience and security standards. Additionally, if attackers use this vulnerability as a foothold, it could facilitate lateral movement within development or testing environments, potentially escalating to broader compromise. However, the requirement for local access limits the attack surface primarily to internal users or attackers who have already breached perimeter defenses.

Given the absence of an official patch, European organizations should implement compensating controls to mitigate this vulnerability. First, restrict local access to systems running LitmusChaos to trusted personnel only, enforcing strict access control policies and monitoring. Employ host-based intrusion detection systems (HIDS) to detect unauthorized attempts to manipulate projectID parameters or access LocalStorage Handler components. Segregate development and testing environments from production networks to limit potential lateral movement. Implement robust logging and audit trails for all actions related to chaos engineering tools to detect anomalous behavior promptly. Additionally, consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions that can monitor and block unauthorized parameter manipulation. Organizations should also engage with the LitmusChaos community or maintainers to advocate for a timely patch release and track updates closely. Finally, conduct regular security reviews of chaos engineering tools and their configurations to identify and remediate similar weaknesses proactively.