A brand new chain of 5 important vulnerabilities found in Fluent Bit has uncovered billions of containerized environments to distant compromise.
Fluent Bit, an open-source logging and telemetry agent deployed over 15 billion instances globally, sits on the core of recent cloud infrastructure.
The instrument collects, processes, and forwards logs throughout banking techniques, cloud platforms like AWS and Microsoft Azure, and Kubernetes environments.
When failures happen at this scale, they don’t simply have an effect on particular person techniques however ripple throughout your entire cloud ecosystem.
These newly disclosed flaws permit attackers to bypass authentication, carry out unauthorized file operations, obtain distant code execution, and trigger denial-of-service assaults by unsanitized tag manipulation.
The assault floor extends throughout a number of important functionalities. Attackers exploiting these vulnerabilities might disrupt cloud providers, tamper with information, and execute malicious code whereas hiding their tracks.
By controlling logging service conduct, adversaries acquire the flexibility to inject faux telemetry, reroute logs to unauthorized locations, and alter which occasions get recorded.
Some vulnerabilities have remained unpatched for over eight years, leaving cloud environments uncovered to decided attackers. Safety researchers at Oligo Safety recognized these flaws in collaboration with AWS by coordinated vulnerability disclosure.
The analysis demonstrates how weaknesses in foundational infrastructure elements can allow subtle assault chains affecting hundreds of thousands of deployments worldwide.
Oligo Safety analysts recognized the vulnerabilities after conducting thorough safety assessments of Fluent Bit’s enter and output plugins.
The analysis crew found that authentication mechanisms, enter validation, and buffer dealing with contained important safety gaps.
Their findings prompted speedy coordination with AWS and the Fluent Bit maintainers, leading to fixes launched in model 4.1.1.
Technical Breakdown of Path Traversal and File Write Vulnerabilities
CVE-2025-12972 represents some of the harmful flaws within the chain. The File output plugin in Fluent Bit writes logs on to the filesystem utilizing two configuration parameters: Path and File.
Many widespread configurations use solely the Path possibility and derive filenames from report tags. Nonetheless, the plugin fails to sanitize these tags earlier than developing file paths. Attackers can inject path traversal sequences like “../” inside tag values to flee the meant listing and write information anyplace on the system.
Flaw chain (Supply – Oligo)
Since attackers preserve partial management over information written to those information by log content material manipulation, they’ll create malicious configuration information, scripts, or executables in important system places.
When Fluent Bit runs with elevated privileges, this results in distant code execution. The vulnerability turns into trivially exploitable when HTTP enter is configured with Tag_Key settings and File output lacks an specific File parameter.
Configurations utilizing the ahead enter mixed with file output are equally susceptible, enabling unauthenticated attackers to inject malicious tags and write arbitrary information.
CVE IDVulnerability TypeAffected ComponentCVSS SeverityImpactCVE-2025-12972Path Traversal File Writeout_file pluginCriticalRCE, Log TamperingCVE-2025-12970Stack Buffer Overflowin_docker pluginCriticalDoS, RCECVE-2025-12978Partial String ComparisonHTTP/Splunk/Elasticsearch inputsCriticalTag SpoofingCVE-2025-12977Improper Enter ValidationHTTP/Splunk/Elasticsearch inputsCriticalInjection AttacksCVE-2025-12969Missing Authenticationin_forward pluginCriticalUnauthorized Entry
Fast patching to model 4.1.1 or 4.0.12 is important for all organizations operating Fluent Bit. Organizations ought to prioritize updating manufacturing deployments and implement configuration modifications to restrict assault publicity.
Static, predefined tags remove untrusted enter from influencing routing and file operations. Setting specific Path and File parameters in output configurations prevents dynamic tag-based path building.
Operating Fluent Bit with non-root privileges and read-only mounted configuration information considerably reduces the influence of profitable exploitation. AWS has already secured its inner techniques and recommends all clients improve instantly.
The safety group views these vulnerabilities as proof of systemic challenges in open-source safety reporting, the place important infrastructure elements usually depend on volunteer maintainers with restricted sources to handle coordinated safety disclosures.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
