Chaos Mesh v2.8.3 is a security-focused patch: critical/high CVEs addressed via Go 1.25.11 and containerd 1.7.32 upgrades, plus a NetworkChaos recovery bug fix.
securityUpgrade to v2.8.3 to patch critical/high CVEs
The Go toolchain and containerd in the container images had critical/high CVEs. If you're running Chaos Mesh on release-2.8, upgrade to v2.8.3 now. No config changes needed — this is a drop-in image update.
breakingVerify NetworkChaos experiments involving crash-looping pods
NetworkChaos recovery previously failed when the target container was in CrashLoopBackOff. v2.8.3 fixes this by falling back to the pause container's PID. If your test environments include intentionally crash-looping workloads, re-run those experiments to confirm recovery behaves correctly after the upgrade.
Key changes (5)
- Go toolchain upgraded to 1.25.11 and containerd to 1.7.32 to patch critical/high container image CVEs
- memStress helper rebuilt with updated Go toolchain (v0.3.1)
- chaos-daemon image switched to headless JRE, reducing attack surface
- NetworkChaos recovery now falls back to sandbox (pause) container PID when the target is in CrashLoopBackOff
- Deprecated wait.PollImmediate replaced with wait.PollUntilContextTimeout in e2e tests