CVE-2025-8796 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. The vulnerability resides in the Delete Request Handler component, specifically in the /auth/delete_project/ endpoint. The issue is a missing authorization check when processing the projectID argument, allowing an attacker to manipulate this parameter to bypass authorization controls. This flaw enables remote attackers to potentially delete projects without proper permissions. The vulnerability does not require user interaction and can be exploited over the network with low attack complexity, though it requires some level of privileges (PR:L) according to the CVSS vector. The impact on confidentiality is none, but integrity and availability are partially affected due to the ability to delete projects. The vendor was notified but has not responded, and no patches have been released yet. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. Given LitmusChaos is a tool used for chaos engineering in Kubernetes environments, unauthorized deletion of projects could disrupt testing workflows, impact development pipelines, and potentially cause downtime or misconfiguration in critical cloud-native infrastructure.

For European organizations using LitmusChaos Litmus, this vulnerability could lead to unauthorized deletion of chaos engineering projects, undermining the reliability and resilience testing of their Kubernetes clusters. This may result in reduced confidence in system stability, delayed incident response, and potential service disruptions. Organizations relying on chaos engineering to validate fault tolerance and recovery mechanisms could face increased operational risk. Additionally, if project deletion affects audit trails or configuration states, it could complicate compliance with European data protection and operational standards such as GDPR and NIS Directive. The remote exploitability and lack of required user interaction make this a significant threat in environments where LitmusChaos is integrated into CI/CD pipelines or automated testing frameworks.

Since no official patch is available, European organizations should implement compensating controls immediately. These include restricting network access to the /auth/delete_project/ endpoint using firewall rules or API gateways to limit exposure to trusted internal IPs only. Implement strict role-based access controls (RBAC) at the Kubernetes cluster and application levels to ensure only authorized personnel can invoke project deletion APIs. Monitor and log all delete project requests for unusual activity and establish alerting mechanisms for unauthorized attempts. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious parameter manipulation. Organizations should also evaluate the feasibility of temporarily disabling the delete project functionality if it is not critical. Finally, maintain close communication with the LitmusChaos vendor and community for updates or patches and plan for rapid deployment once available.