CVE-2025-8797 is a medium-severity vulnerability affecting LitmusChaos Litmus versions up to 3.19.0. LitmusChaos is an open-source chaos engineering platform used to test the resilience of cloud-native applications, often deployed in Kubernetes environments. The vulnerability stems from improper permission handling within the LocalStorage Handler component. This flaw allows an attacker to manipulate permissions remotely without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The CVSS 4.0 vector indicates that the attack can be launched over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), suggesting that while the permissions can be manipulated, the scope of damage is somewhat constrained. The vendor has not responded to the vulnerability disclosure, and no patches or mitigations have been officially released yet. Although no known exploits are currently in the wild, the public disclosure increases the risk of exploitation attempts. Given LitmusChaos's role in managing chaos experiments and potentially interacting with critical infrastructure components, unauthorized permission changes could lead to unauthorized access or disruption of chaos testing workflows, potentially impacting system stability and reliability.

For European organizations, particularly those leveraging cloud-native architectures and Kubernetes environments, this vulnerability poses a risk to the integrity and availability of chaos engineering processes. Since chaos engineering is often used to improve system resilience, exploitation could undermine these efforts by allowing attackers to alter permissions, potentially disabling or manipulating chaos experiments. This could lead to undetected system weaknesses or unplanned outages. Organizations in sectors such as finance, telecommunications, and critical infrastructure that rely on LitmusChaos for resilience testing may face operational disruptions or increased risk exposure. The medium severity and lack of user interaction required make it feasible for attackers to exploit this remotely, increasing the threat surface. Furthermore, the absence of vendor response and patches means organizations must proactively address the risk to avoid potential exploitation.

European organizations should immediately audit their use of LitmusChaos, specifically checking versions in use and the deployment configurations of the LocalStorage Handler component. Until official patches are available, organizations should consider isolating LitmusChaos environments from untrusted networks and restrict network access to trusted administrators only. Implement strict role-based access controls (RBAC) around the LitmusChaos deployment to limit the impact of any permission manipulation. Monitoring and logging should be enhanced to detect unusual permission changes or unauthorized access attempts within the chaos engineering platform. Organizations may also explore temporary workarounds such as disabling the LocalStorage Handler if feasible or deploying network-level controls like firewalls or micro-segmentation to reduce exposure. Finally, maintain close monitoring of vendor communications and security advisories for any forthcoming patches or updates.