Key Findings

• Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures.

• The security defects allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags.

• Successful exploitation of the flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Background

Fluent Bit is a popular, open-source and lightweight data collector that is widely used in enterprise environments, including finance, delivery apps, and cloud platforms, to ingest and process telemetry data. Given its positioning on the data ingestion path and handling of sensitive information, any vulnerabilities in Fluent Bit can have severe security implications.

Authentication Bypass (CVE-2025-12969)

• The in_forward plugin, which receives logs from other agents, has a critical authentication bypass.

• If operators configure it with `Security.Users` (username and password authentication) but do not set a `Shared_Key`, authentication is not enforced, leaving many Fluent Bit forwarders open to attacker connections.

• An attacker could flood a security product's logs with false events to overwhelm security teams or inject false data to hide their activity.

Tag Key Spoofing (CVE-2025-12978)

• This flaw allows an attacker to control a record's tag, bypassing configuration security.

• The issue lies in a partial string comparison in the `tag_key()` method, meaning that an attacker can send just the first letter and match the `Tag_Key`.

• By guessing just the first letter of a tag key, an attacker can spoof the tag on log data and control where and how it's processed.

Tag Injection (CVE-2025-12977)

• Tags derived dynamically from a record using `Tag_Key` bypass the normal sanitization process.

• This allows an attacker to inject problematic characters like spaces, newlines, or path traversal patterns (`../`) into the tag, leading to log corruption, output injection, and in some setups, path traversal.

Path Traversal File Write (CVE-2025-12972)

• The most critical outcome is a path traversal vulnerability in the `out_file` plugin.

• When the file output lacks a defined `File` key, it uses the tag to create the file name. Since the tag can be controlled (and injected with `../` from the previous flaws), attackers can use path traversal characters `'../'` in the Tag to change the file path and name.

• This can lead to remote code execution on many systems, allowing attackers to create or overwrite files anywhere on the filesystem, which can lead to tampered logs, planted malicious files, and remote code execution.

Stack Buffer Overflow (CVE-2025-12970)

• A stack buffer overflow exists in the Docker Metrics input plugin (`in_docker`).

• The plugin copies a container's name into a fixed 256-byte stack buffer without checking its length.

• An attacker who can create a container with an excessively long name can crash the agent or execute arbitrary code.

Sources

• https://thehackernews.com/2025/11/new-fluent-bit-flaws-expose-cloud-to.html

• https://securityonline.info/critical-fluent-bit-flaws-enable-rce-and-telemetry-tampering-in-major-orgs/

• https://www.youtube.com/watch?v=zSdrbHqp8wA

• https://community.opentextcybersecurity.com/vulnerability-vault-228/new-fluent-bit-flaws-expose-cloud-to-rce-and-stealthy-infrastructure-intrusions-362716

• https://x.com/AdliceSoftware/status/1992989119413162348