CVE-2025-8796 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. The vulnerability resides in the Delete Request Handler component, specifically in the /auth/delete_project/ endpoint. The issue stems from missing authorization checks when handling the projectID argument, allowing an attacker to manipulate this parameter to bypass authorization controls. This flaw enables remote attackers to delete projects without proper permissions, potentially disrupting chaos engineering workflows or deleting critical project data. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity and no privileges required, although the CVSS vector indicates a partial requirement of privileges (PR:L), suggesting some level of authenticated access might be needed. The vendor has not responded to the disclosure, and no patches have been released yet. While no known exploits are currently active in the wild, public disclosure increases the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, primarily by unauthorized deletion of projects, which could lead to loss of configuration, disruption of chaos experiments, and potential operational impact on systems relying on LitmusChaos for resilience testing.

For European organizations using LitmusChaos Litmus for chaos engineering and resilience testing, this vulnerability poses a risk of unauthorized project deletion, which can disrupt testing workflows and potentially delay incident response or resilience validation processes. Organizations relying on LitmusChaos to validate system robustness may face operational setbacks, increased downtime, or misinformed risk assessments if project data is maliciously deleted. This could indirectly affect service availability and reliability, especially in critical infrastructure or industries with stringent uptime requirements such as finance, healthcare, and manufacturing. The medium severity suggests moderate risk, but the lack of vendor response and patch availability increases exposure. Additionally, unauthorized deletion could be leveraged as part of a broader attack chain to weaken organizational defenses or cover tracks after other intrusions.

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting network access to the LitmusChaos management interfaces to trusted IP ranges and enforcing strict authentication and authorization policies at the infrastructure level. Monitoring and logging all API calls to the /auth/delete_project/ endpoint can help detect suspicious activity. Organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized delete requests or anomalous projectID manipulations. Regular backups of project configurations and data are essential to enable rapid restoration in case of unauthorized deletions. Additionally, organizations should isolate LitmusChaos environments from public networks and integrate multi-factor authentication (MFA) where possible to reduce the risk of credential compromise. Finally, maintaining close monitoring of vendor communications for patches or updates is critical.