CVE-2025-8795 is a vulnerability identified in LitmusChaos Litmus, an open-source chaos engineering platform used to test the resilience of cloud-native applications. The vulnerability affects all versions up to and including 3.19.0. It is classified as an improper access control issue located in the /auth/login endpoint, specifically involving the manipulation of the 'projectID' argument. This flaw allows an attacker to bypass intended access restrictions, potentially granting unauthorized access to project-specific resources or operations. The vulnerability can be exploited remotely without requiring user interaction or prior authentication, indicating a low barrier to exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that while the attack vector is network-based and requires no privileges or user interaction, the impact on confidentiality, integrity, and availability is limited to low levels. The vendor has not responded to the disclosure, and no patches or mitigations have been published at the time of this report. Although no known exploits are currently observed in the wild, the public disclosure increases the risk of exploitation attempts. Improper access control in a critical authentication endpoint can lead to unauthorized data access, manipulation of chaos experiments, or disruption of testing workflows, undermining the reliability of resilience testing and potentially exposing sensitive operational data or configurations.

For European organizations, especially those adopting cloud-native architectures and chaos engineering practices, this vulnerability poses a risk to the integrity and confidentiality of their resilience testing environments. Unauthorized access could allow attackers to interfere with chaos experiments, potentially masking real system faults or causing misleading test results, which in turn could lead to undetected system weaknesses. Organizations in sectors such as finance, healthcare, and critical infrastructure that rely on LitmusChaos for reliability testing may face operational risks and compliance challenges if unauthorized access leads to data exposure or manipulation. Additionally, the lack of vendor response and absence of patches increases the window of exposure. Given the remote exploitability and no requirement for authentication, attackers could leverage this vulnerability to gain footholds within development or testing environments, which might be leveraged for lateral movement within corporate networks.

European organizations using LitmusChaos should immediately audit their deployments to identify affected versions (3.0 through 3.19.0). Until an official patch is released, organizations should implement strict network-level access controls to restrict access to the /auth/login endpoint, limiting it to trusted IP addresses or VPNs. Employing Web Application Firewalls (WAFs) with custom rules to detect and block anomalous projectID parameter manipulations can provide temporary protection. Monitoring and logging access to authentication endpoints should be enhanced to detect suspicious activities. Organizations should also consider isolating chaos engineering environments from production networks to reduce risk exposure. Regularly reviewing user permissions and applying the principle of least privilege within the platform can minimize potential damage. Finally, organizations should maintain close communication with LitmusChaos community channels for updates and patches, and prepare to apply fixes promptly once available.