JFrog Security Research has disclosed several critical vulnerabilities, collectively called "Chaotic Deputy," in the popular Chaos engineering platform Chaos-Mesh. These vulnerabilities, identified as CVE-2025-59358, CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361, allow in-cluster attackers to execute arbitrary code on any pod within a Kubernetes cluster, posing a risk of cluster-wide denial-of-service attacks and unauthorized access to privileged information. Users of Chaos-Mesh are advised to upgrade to version 2.7.3 or apply recommended workarounds to mitigate these risks. The vulnerabilities stem from issues such as missing authentication and OS command injection, which enable attackers to exploit the Chaos Controller Manager's exposed GraphQL server. JFrog has worked with the Chaos-Mesh maintainers to address these issues, emphasizing the need for vigilance in maintaining secure systems in the face of evolving threats.