CVE-2025-8795 is a vulnerability identified in LitmusChaos Litmus, an open-source chaos engineering platform used to test the resilience of cloud-native applications. The vulnerability affects all versions up to 3.19.0 and is located in the /auth/login endpoint, specifically involving improper access control related to the manipulation of the 'projectID' argument. This flaw allows an attacker to remotely exploit the system without requiring user interaction or elevated privileges, potentially bypassing intended access restrictions. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, indicating moderate impact. The attack vector is network-based with low attack complexity and no privileges required, but it results in limited confidentiality, integrity, and availability impacts. The vendor has not responded to early disclosure attempts, and no patches or mitigations have been officially released yet. Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. The vulnerability could allow unauthorized access to project-specific resources or data within the LitmusChaos platform, undermining the security controls designed to isolate projects and users. Given LitmusChaos’s role in managing chaos experiments, unauthorized access could lead to manipulation or disruption of testing environments, potentially impacting the reliability and security validation of critical cloud infrastructure.

For European organizations, especially those leveraging LitmusChaos for chaos engineering in cloud-native environments, this vulnerability poses a risk of unauthorized access to project-level resources. This could lead to exposure or manipulation of sensitive test configurations and results, undermining trust in resilience testing processes. In regulated industries such as finance, healthcare, and critical infrastructure, improper access could violate compliance requirements related to data protection and operational integrity. Additionally, attackers could leverage this vulnerability to disrupt chaos experiments, causing false positives or negatives in resilience assessments, which might delay incident response or risk mitigation efforts. The medium severity rating suggests that while the vulnerability is not immediately catastrophic, it could serve as a foothold for further attacks or lateral movement within an organization’s cloud environment. The lack of vendor response and patches increases the urgency for organizations to implement compensating controls. Given the remote exploitability and absence of required user interaction, the threat surface is broad, potentially affecting any European entity using vulnerable LitmusChaos versions in their DevOps or SRE workflows.

European organizations should immediately audit their use of LitmusChaos and identify any deployments running versions up to 3.19.0. Until an official patch is released, organizations should implement strict network segmentation and access controls to limit exposure of the /auth/login endpoint to trusted internal networks only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block anomalous manipulation of the 'projectID' parameter can reduce exploitation risk. Monitoring and logging access to authentication endpoints should be enhanced to detect suspicious activity promptly. Organizations should also consider temporarily disabling or restricting chaos experiments that rely on projectID parameters until a fix is available. Coordinating with cloud providers or platform teams to enforce multi-factor authentication and least privilege principles around LitmusChaos access can further mitigate risk. Finally, organizations should maintain vigilance for any emerging exploit code or patches and plan for rapid deployment once available.