Nov 24, 2025Ravie LakshmananVulnerability / Container Safety
Cybersecurity researchers have found 5 vulnerabilities in Fluent Bit, an open-source and light-weight telemetry agent, that might be chained to compromise and take over cloud infrastructures.
The safety defects “enable attackers to bypass authentication, carry out path traversal, obtain distant code execution, trigger denial-of-service circumstances, and manipulate tags,” Oligo Safety mentioned in a report shared with The Hacker Information.
Profitable exploitation of the issues might allow attackers to disrupt cloud providers, manipulate information, and burrow deeper into cloud and Kubernetes infrastructure. The listing of recognized vulnerabilities is as follows –
CVE-2025-12972 – A path traversal vulnerability stemming from using unsanitized tag values to generate output filenames, making it doable to jot down or overwrite arbitrary recordsdata on disk, enabling log tampering and distant code execution.
CVE-2025-12970 – A stack buffer overflow vulnerability within the Docker Metrics enter plugin (in_docker) that would enable attackers to set off code execution or crash the agent by creating containers with excessively lengthy names.
CVE-2025-12978 – A vulnerability within the tag-matching logic lets attackers spoof trusted tags – that are assigned to each occasion ingested by Fluent Bit – by guessing solely the primary character of a Tag_Key, permitting an attacker to reroute logs, bypass filters, and inject malicious or deceptive information underneath trusted tags.
CVE-2025-12977 – An improper enter validation of tags derived from user-controlled fields, permitting an attacker to inject newlines, traversal sequences, and management characters that may corrupt downstream logs.
CVE-2025-12969 – A lacking safety.customers authentication within the in_forward plugin that is used to obtain logs from different Fluent Bit situations utilizing the Ahead protocol, permitting attackers to ship logs, inject false telemetry, and flood a safety product’s logs with false occasions.
“The quantity of management enabled by this class of vulnerabilities might enable an attacker to breach deeper right into a cloud atmosphere to execute malicious code via Fluent Bit, whereas dictating which occasions are recorded, erasing or rewriting incriminating entries to cover their tracks after an assault, injecting faux telemetry, and injecting believable faux occasions to mislead responders,” researchers mentioned.
The CERT Coordination Middle (CERT/CC), in an unbiased advisory, mentioned many of those vulnerabilities require an attacker to have community entry to a Fluent Bit occasion, including they might be used for authentication bypass, distant code execution, service disruption, and tag manipulation.
Following accountable disclosure, the problems have been addressed in variations 4.1.1 and 4.0.12 launched final month. Amazon Net Companies (AWS), which additionally engaged in coordinated disclosure, has urged prospects working Fluentbit to replace to the most recent model for optimum safety.
Given Fluent Bit’s reputation inside enterprise environments, the shortcomings have the potential to impair entry to cloud providers, enable information tampering, and seize management of the logging service itself.
Different beneficial actions embody avoiding use of dynamic tags for routing, locking down output paths and locations to forestall tag-based path enlargement or traversal, mounting /fluent-bit/and so on/ and configuration recordsdata as read-only to dam runtime tampering, and working the service as non-root customers.
The event comes greater than a 12 months after Tenable detailed a flaw in Fluent Bit’s built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that might be exploited to realize denial-of-service (DoS), info disclosure, or distant code execution.
