Cybersecurity researchers have found 5 vulnerabilities in Fluent Bit, an open-source and light-weight telemetry agent, that could possibly be chained to compromise and take over cloud infrastructures.
The security defects “permit attackers to bypass authentication, carry out path traversal, obtain distant code execution, trigger denial-of-service situations, and manipulate tags,” Oligo Safety stated in a report shared with The Hacker Information.
Profitable exploitation of the issues may allow attackers to disrupt cloud companies, manipulate information, and burrow deeper into cloud and Kubernetes infrastructure. The checklist of recognized vulnerabilities is as follows –
- CVE-2025-12972 – A path traversal vulnerability stemming from the usage of unsanitized tag values to generate output filenames, making it doable to put in writing or overwrite arbitrary information on disk, enabling log tampering and distant code execution.
- CVE-2025-12970 – A stack buffer overflow vulnerability within the Docker Metrics enter plugin (in_docker) that might permit attackers to set off code execution or crash the agent by creating containers with excessively lengthy names.
- CVE-2025-12978 – A vulnerability within the tag-matching logic lets attackers spoof trusted tags – that are assigned to each occasion ingested by Fluent Bit – by guessing solely the primary character of a Tag_Key, permitting an attacker to reroute logs, bypass filters, and inject malicious or deceptive information below trusted tags.
- CVE-2025-12977 – An improper enter validation of tags derived from user-controlled fields, permitting an attacker to inject newlines, traversal sequences, and management characters that may corrupt downstream logs.
- CVE-2025-12969 – A lacking security.customers authentication within the in_forward plugin that is used to obtain logs from different Fluent Bit cases utilizing the Ahead protocol, permitting attackers to ship logs, inject false telemetry, and flood a security product’s logs with false occasions.
“The quantity of management enabled by this class of vulnerabilities may permit an attacker to breach deeper right into a cloud setting to execute malicious code by Fluent Bit, whereas dictating which occasions are recorded, erasing or rewriting incriminating entries to cover their tracks after an assault, injecting faux telemetry, and injecting believable faux occasions to mislead responders,” researchers stated.
The CERT Coordination Heart (CERT/CC), in an impartial advisory, stated many of those vulnerabilities require an attacker to have community entry to a Fluent Bit occasion, including they could possibly be used for authentication bypass, distant code execution, service disruption, and tag manipulation.
Following accountable disclosure, the problems have been addressed in variations 4.1.1 and 4.0.12 launched final month. Amazon Net Companies (AWS), which additionally engaged in coordinated disclosure, has urged clients working Fluentbit to replace to the newest model for optimum safety.
Given Fluent Bit’s recognition inside enterprise environments, the shortcomings have the potential to impair entry to cloud companies, permit information tampering, and seize management of the logging service itself.
Different advisable actions embody avoiding use of dynamic tags for routing, locking down output paths and locations to stop tag-based path growth or traversal, mounting /fluent-bit/and so forth/ and configuration information as read-only to dam runtime tampering, and working the service as non-root customers.
The event comes greater than a 12 months after Tenable detailed a flaw in Fluent Bit’s built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that could possibly be exploited to attain denial-of-service (DoS), info disclosure, or distant code execution.
