Cybersecurity researchers have found 5 vulnerabilities in Fluent Bit, an open-source and light-weight telemetry agent, that may very well be chained to compromise and take over cloud infrastructures.
The safety defects “enable attackers to bypass authentication, carry out path traversal, obtain distant code execution, trigger denial-of-service circumstances, and manipulate tags,” Oligo Safety stated in a report shared with The Hacker Information.
Profitable exploitation of the issues might allow attackers to disrupt cloud providers, manipulate information, and burrow deeper into cloud and Kubernetes infrastructure. The record of recognized vulnerabilities is as follows –
- CVE-2025-12972 – A path traversal vulnerability stemming from using unsanitized tag values to generate output filenames, making it doable to put in writing or overwrite arbitrary information on disk, enabling log tampering and distant code execution.
- CVE-2025-12970 – A stack buffer overflow vulnerability within the Docker Metrics enter plugin (in_docker) that might enable attackers to set off code execution or crash the agent by creating containers with excessively lengthy names.
- CVE-2025-12978 – A vulnerability within the tag-matching logic lets attackers spoof trusted tags – that are assigned to each occasion ingested by Fluent Bit – by guessing solely the primary character of a Tag_Key, permitting an attacker to reroute logs, bypass filters, and inject malicious or deceptive data below trusted tags.
- CVE-2025-12977 – An improper enter validation of tags derived from user-controlled fields, permitting an attacker to inject newlines, traversal sequences, and management characters that may corrupt downstream logs.
- CVE-2025-12969 – A lacking safety.customers authentication within the in_forward plugin that is used to obtain logs from different Fluent Bit cases utilizing the Ahead protocol, permitting attackers to ship logs, inject false telemetry, and flood a safety product’s logs with false occasions.
“The quantity of management enabled by this class of vulnerabilities might enable an attacker to breach deeper right into a cloud setting to execute malicious code by Fluent Bit, whereas dictating which occasions are recorded, erasing or rewriting incriminating entries to cover their tracks after an assault, injecting faux telemetry, and injecting believable faux occasions to mislead responders,” researchers stated.
The CERT Coordination Heart (CERT/CC), in an impartial advisory, stated many of those vulnerabilities require an attacker to have community entry to a Fluent Bit occasion, including they may very well be used for authentication bypass, distant code execution, service disruption, and tag manipulation.
Following accountable disclosure, the problems have been addressed in variations 4.1.1 and 4.0.12 launched final month. Amazon Internet Providers (AWS), which additionally engaged in coordinated disclosure, has urged prospects operating Fluentbit to replace to the newest model for optimum safety.
Given Fluent Bit’s recognition inside enterprise environments, the shortcomings have the potential to impair entry to cloud providers, enable information tampering, and seize management of the logging service itself.
Different advisable actions embrace avoiding use of dynamic tags for routing, locking down output paths and locations to forestall tag-based path enlargement or traversal, mounting /fluent-bit/and so forth/ and configuration information as read-only to dam runtime tampering, and operating the service as non-root customers.
The event comes greater than a 12 months after Tenable detailed a flaw in Fluent Bit’s built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that may very well be exploited to attain denial-of-service (DoS), data disclosure, or distant code execution.
