CISA issues update on fluentbit vulnerabilities including authentication bypass and code execution

Fluent Bit, a tool for processing and forwarding logs and metrics in cloud and container-based networks, is affected by multiple vulnerabilities that could enable authentication bypass, remote code execution, Denial of Service (DoS), and tag manipulation. These issues primarily arise due to the handling of tags and certain Fluent Bit plugins. Exploitation generally demands network access to the affected Fluent Bit instance. The flaws have been addressed in version 4.1.0 and later releases.

Five specific vulnerabilities have been identified. CVE-2025-12972 involves the out_file plugin, which improperly sanitizes tag values when generating output file names, potentially allowing network attackers to induce path traversal and write files outside the designated output directory if the File option is omitted. CVE-2025-12970 pertains to the extract_name() function in the in_docker input plugin, where container names copied into a fixed-size stack buffer without length validation can cause buffer overflow, resulting in crashes or arbitrary code execution if an attacker supplies overlong container names. CVE-2025-12969 concerns the in_forward input plugin's failure to enforce the security.users authentication under certain settings, permitting unauthenticated remote data injection by attackers accessing the forward input, thus allowing forged logs, alert flooding, or routing manipulation. CVE-2025-12977 affects the in_http, in_splunk, and in_elasticsearch input plugins which inadequately sanitize tag_key inputs; specially crafted tag_key values with newline or path traversal characters can result in newline injection, path traversal, forged record injection, or incorrect log routing. CVE-2025-12978 relates to the tag_key validation in the same input plugins, which does not enforce exact key-length matching, enabling attackers with authenticated or exposed endpoint access to manipulate tags, cause records to be redirected improperly, and compromise log authenticity and integrity.

These vulnerabilities permit unauthorized authentication bypass, remote code execution, DoS conditions, and manipulation of tag processing, leading to Fluent Bit operating incorrectly.

All described vulnerabilities have been remediated in Fluent Bit version 4.1.0 and subsequent versions. Updating to this latest release is necessary to address these issues.

The advisory credits Uri Katz of Oligo Security for reporting these vulnerabilities and notes that Christopher Cullen authored the document.