Ethical Hacking News
Fluent Bit, an open-source telemetry agent, has been found to have five vulnerabilities that can compromise cloud infrastructures. These flaws allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags. To protect themselves, users are urged to update to the latest version of Fluent Bit and follow recommended security measures.
Fluent Bit, a lightweight telemetry agent, has been found to have five vulnerabilities that can compromise cloud infrastructures. The identified vulnerabilities include path traversal, remote code execution, denial-of-service conditions, and tag manipulation. CVE-2025-12972: Path traversal vulnerability allowing log tampering and remote code execution through unsanitized tag values. CVE-2025-12970: Stack buffer overflow vulnerability in Docker Metrics input plugin that can trigger code execution or crash the agent. CVE-2025-12978: Vulnerability in tag-matching logic allowing attackers to spoof trusted tags and reroute logs. CVE-2025-12977: Improper input validation of tags, allowing injection of newlines, traversal sequences, and control characters. CVE-2025-12969: Missing security.users authentication in the in_forward plugin that can be used to inject false telemetry.
Fluent Bit, an open-source and lightweight telemetry agent, has been found to have five vulnerabilities that could be chained together to compromise cloud infrastructures. The security defects discovered by Oligo Security allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags.
The identified vulnerabilities are as follows:
- CVE-2025-12972: A path traversal vulnerability stemming from the use of unsanitized tag values to generate output filenames. This allows attackers to write or overwrite arbitrary files on disk, enabling log tampering and remote code execution.
- CVE-2025-12970: A stack buffer overflow vulnerability in the Docker Metrics input plugin (in_docker) that could allow attackers to trigger code execution or crash the agent by creating containers with excessively long names.
- CVE-2025-12978: A vulnerability in the tag-matching logic lets attackers spoof trusted tags – which are assigned to every event ingested by Fluent Bit – by guessing only the first character of a Tag_Key, allowing an attacker to reroute logs, bypass filters, and inject malicious or misleading records under trusted tags.
- CVE-2025-12977: An improper input validation of tags derived from user-controlled fields, allowing an attacker to inject newlines, traversal sequences, and control characters that can corrupt downstream logs.
- CVE-2025-12969: A missing security.users authentication in the in_forward plugin that's used to receive logs from other Fluent Bit instances using the Forward protocol, allowing attackers to send logs, inject false telemetry, and flood a security product's logs with false events.
According to CERT Coordination Center (CERT/CC), many of these vulnerabilities require an attacker to have network access to a Fluent Bit instance, adding that they could be used for authentication bypass, remote code execution, service disruption, and tag manipulation. The researchers also noted that the amount of control enabled by this class of vulnerabilities could allow an attacker to breach deeper into a cloud environment to execute malicious code through Fluent Bit, while dictating which events are recorded, erasing or rewriting incriminating entries to hide their tracks after an attack, injecting fake telemetry, and injecting plausible fake events to mislead responders.
The issues have been addressed in versions 4.1.1 and 4.0.12 released last month. Amazon Web Services (AWS) has urged its customers running Fluentbit to update to the latest version for optimal protection.
Given Fluent Bit's popularity within enterprise environments, the shortcomings have the potential to impair access to cloud services, allow data tampering, and seize control of the logging service itself. Other recommended actions include avoiding use of dynamic tags for routing, locking down output paths and destinations to prevent tag-based path expansion or traversal, mounting /fluent-bit/etc/ and configuration files as read-only to block runtime tampering, and running the service as non-root users.
This discovery comes more than a year after Tenable detailed a flaw in Fluent Bit's built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution. The development highlights the need for constant vigilance and timely updates by users of open-source software.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Flaws-in-Fluent-Bit-Expose-Clouds-to-RCE-and-Stealthy-Infrastructure-Intrusions-ehn.shtml
https://thehackernews.com/2025/11/new-fluent-bit-flaws-expose-cloud-to.html
https://nvd.nist.gov/vuln/detail/CVE-2024-4323
https://www.cvedetails.com/cve/CVE-2024-4323/
https://nvd.nist.gov/vuln/detail/CVE-2025-12969
https://www.cvedetails.com/cve/CVE-2025-12969/
https://nvd.nist.gov/vuln/detail/CVE-2025-12970
https://www.cvedetails.com/cve/CVE-2025-12970/
https://nvd.nist.gov/vuln/detail/CVE-2025-12972
https://www.cvedetails.com/cve/CVE-2025-12972/
https://nvd.nist.gov/vuln/detail/CVE-2025-12977
https://www.cvedetails.com/cve/CVE-2025-12977/
https://nvd.nist.gov/vuln/detail/CVE-2025-12978
https://www.cvedetails.com/cve/CVE-2025-12978/
Published: Mon Nov 24 10:13:51 2025 by llama3.2 3B Q4_K_M
