CISA issues alert on Fluent Bit vulnerabilities including authentication bypass and remote code execution

Fluent Bit, a processor and forwarder of logs and metrics used in cloud and container networking contexts, contains multiple vulnerabilities that could enable authentication bypass, remote code execution, Denial of Service (DoS), and tag manipulation affecting its functionality. These issues primarily stem from flawed plugin implementations and tag processing methods. Addressing these vulnerabilities requires network access to the Fluent Bit instance.

The advisory details five vulnerabilities with distinct technical attributes. CVE-2025-12972 involves the out_file plugin, which fails to sanitize tag inputs when the File option is omitted, allowing attackers to craft path traversal sequences in tags that result in writing files outside the expected directory. CVE-2025-12970 concerns the extract_name() function in the in_docker input plugin, which copies container names into a fixed-size stack buffer without length validation, making it vulnerable to buffer overflow through long container names and enabling crashes or code execution. CVE-2025-12969 pertains to the in_forward input plugin, which inadequately enforces the security.users authentication under certain configurations, permitting unauthenticated remote data submission that can lead to forged log injection, alert flooding, or routing manipulation. CVE-2025-12977 addresses improper sanitization of tag_key inputs in the in_http, in_splunk, and in_elasticsearch plugins, where special characters like newlines or ../ sequences within tag_key values are treated as valid tags, facilitating newline injection, path traversal, forged record injection, or misrouting. CVE-2025-12978 involves a validation flaw in the tag_key logic of the same three plugins, failing to enforce exact key-length matching and causing tag prefixes to be misinterpreted as full matches, allowing authenticated or exposed remote attackers to manipulate tags and redirect records improperly.

The identified vulnerabilities could lead to authentication bypass, remote code execution, DoS, and improper operation of Fluent Bit caused by manipulated tag processing.

Versions 4.0.12, 4.1.1, and 4.2.0 of Fluent Bit include fixes for these vulnerabilities. Users are advised to update to these versions to address the issues. The updated releases are available from official Fluent Bit sources.

The advisory acknowledges the reporting by Uri Katz of Oligo Security and the documentation by Christopher Cullen. It emphasizes the importance of updating Fluent Bit to the remediated versions to prevent exploitation. No additional mitigation measures beyond applying official updates are specified in the advisory.