CVE-2025-8797 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. LitmusChaos is an open-source chaos engineering platform used to test the resilience of cloud-native applications by injecting faults into Kubernetes environments. The vulnerability arises from improper permission handling within the LocalStorage Handler component of Litmus. Specifically, the flaw allows remote attackers to manipulate local storage processing, leading to permission issues that could potentially allow unauthorized access or modification of data or configurations. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and does not require authentication (PR:L indicates low privileges needed, but no authentication required). No user interaction is necessary (UI:N). The impact covers confidentiality, integrity, and availability, but only to a limited extent (VC:L, VI:L, VA:L). The vulnerability scope is unchanged (S:N), and no security requirements are bypassed (SI:N, SA:N). The CVSS 4.0 base score is 5.3, indicating a medium severity. Although the vendor was notified early, there has been no response or patch released at the time of this disclosure. No known exploits are currently observed in the wild, but public disclosure of the exploit details increases the risk of exploitation. Given LitmusChaos’s role in Kubernetes environments, exploitation could lead to unauthorized permission escalation or data manipulation within chaos experiments, potentially undermining the reliability and security of resilience testing and the underlying infrastructure.

For European organizations, especially those leveraging Kubernetes and cloud-native architectures, this vulnerability poses a risk to the integrity and confidentiality of chaos engineering experiments and potentially the broader infrastructure. Unauthorized manipulation of permissions in the LocalStorage Handler could allow attackers to alter chaos experiments, leading to misleading test results or unintended disruptions. This could impact critical sectors relying on robust cloud infrastructure, such as finance, healthcare, and telecommunications. The medium severity and remote exploitability mean attackers could leverage this flaw to gain footholds or disrupt operations without requiring user interaction or high privileges. Additionally, the lack of vendor response and patches increases exposure time. Organizations using LitmusChaos in production or testing environments should consider the risk of compromised resilience testing, which could cascade into operational risks if chaos experiments are manipulated or if attackers use this vector to escalate privileges within Kubernetes clusters.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Restrict network access to LitmusChaos components, especially the LocalStorage Handler, using Kubernetes network policies and firewall rules to limit exposure to trusted sources only. 2) Employ strict Role-Based Access Control (RBAC) within Kubernetes to minimize permissions granted to LitmusChaos components and users, ensuring the principle of least privilege is enforced. 3) Monitor and audit LitmusChaos logs and Kubernetes API server logs for unusual permission changes or unexpected chaos experiment modifications. 4) Consider isolating LitmusChaos deployments in dedicated namespaces or clusters to contain potential exploitation impact. 5) Temporarily disable or limit the use of LocalStorage Handler features if feasible until a patch is available. 6) Engage with the LitmusChaos community or maintainers for updates and potential workarounds. 7) Implement runtime security tools that can detect anomalous behavior in Kubernetes pods and containers related to LitmusChaos. These targeted mitigations go beyond generic advice by focusing on network segmentation, strict access controls, and monitoring tailored to the affected component and environment.