Key Findings

• Critical authentication bypass vulnerability (CVE-2025-12969) in the `in_forward` plugin allows attackers to connect to Fluent Bit forwarders without authentication

• Tag key spoofing flaw (CVE-2025-12978) enables attackers to control a record's tag, bypassing configuration security

• Tag injection vulnerability (CVE-2025-12977) allows attackers to inject problematic characters into tags, leading to log corruption and output injection

• Path traversal vulnerability (CVE-2025-12972) in the `out_file` plugin enables attackers to write files anywhere on the filesystem, including remote code execution

• Stack buffer overflow (CVE-2025-12970) in the Docker Metrics input plugin can be exploited to crash the agent or execute arbitrary code

Background

Fluent Bit is a popular, lightweight telemetry agent used by major organizations in finance, delivery apps, and cloud platforms. Due to its position on the ingestion path and its handling of sensitive data and untrusted input, any vulnerabilities in Fluent Bit can become "high impact security issues."

Authentication Bypass (CVE-2025-12969)

The `in_forward` plugin, which receives logs from other agents, has a critical authentication bypass. If operators configure it with `Security.Users` (username and password authentication) but do not set a `Shared_Key`, the report found that "authentication is not enforced." This "leaves many fluent-bit forwarders open to attacker connections while giving users a false sense of security." An attacker could "flood a security product's logs with false events to spam alerts to overwhelm security teams" or inject false data to hide their activity.

Tag Key Spoofing (CVE-2025-12978)

This flaw allows an attacker to control a record's tag, bypassing configuration security. The issue lies in a partial string comparison in the `tag_key()` method. The comparison checks the size of the user input key, "meaning that an attacker can send just the first letter and match the Tag_Key." In short, "by guessing just the first letter of a tag key an attacker can spoof the tag on log data and control where and how it's processed."

Tag Injection (CVE-2025-12977)

Tags derived dynamically from a record using `Tag_Key` bypass the normal sanitization process. This allows an attacker to inject problematic characters like spaces, newlines, or path traversal patterns (`../`) into the tag. This can lead to "log corruption, output injection, and in some setups path traversal."

Path Traversal File Write (CVE-2025-12972)

The most critical outcome is a path traversal vulnerability in the `out_file` plugin. When the file output lacks a defined `File` key, it uses the tag to create the file name. Since the tag can be controlled (and injected with `../` from the previous flaws), "Attackers can use path traversal characters `'../'` in the Tag to change the file path and name." This can lead to RCE on many systems, allowing attackers to "create or overwrite files anywhere on the filesystem, which can lead to tampered logs, planted malicious files, and remote code execution."

Stack Buffer Overflow (CVE-2025-12970)

Separately, a stack buffer overflow exists in the Docker Metrics input plugin (`in_docker`). The plugin copies a container's name into a fixed 256-byte stack buffer without checking its length. An attacker who can create a container with an "excessively long name" can "crash the agent or execute arbitrary code."

Sources

• https://securityonline.info/critical-fluent-bit-flaws-enable-rce-and-telemetry-tampering-in-major-orgs/

• https://x.com/fridaysecurity/status/1993155180570063256

• https://x.com/the_yellow_fall/status/1993154888759664922

• https://www.cypro.se/2025/11/24/new-fluent-bit-flaws-expose-cloud-to-rce-and-stealthy-infrastructure-intrusions/