Sign in Subscribe

Five Fluent Bit Vulnerabilities Threaten Cloud Infrastructures

Five Fluent Bit Vulnerabilities Threaten Cloud Infrastructures

Researchers at Oligo Security discovered five vulnerabilities in Fluent Bit that, when exploited in combination, could compromise entire cloud infrastructures, including Kubernetes clusters.

Fluent Bit is an open-source solution for collecting, processing, and routing logs and metrics. The tool is deployed across enterprise environments, container platforms, Kubernetes clusters, and cloud infrastructures, with support for Windows, Linux, and macOS.

The scope of Fluent Bit's adoption makes these vulnerabilities particularly significant. The solution is integrated into major Kubernetes distributions from AWS, Google Cloud Platform, and Microsoft Azure. Cybersecurity vendors including CrowdStrike and Trend Micro rely on Fluent Bit, as do technology companies such as Cisco, LinkedIn, VMware, Splunk, Intel, Arm, and Adobe.

Per Oligo Security, the vulnerabilities enable authentication bypass, path traversal attacks, remote code execution, denial of service, and tag manipulation. Successful exploitation allows attackers to disrupt cloud services, manipulate data, and penetrate deeper into cloud and Kubernetes infrastructure.

The Vulnerabilities

The researchers identified five distinct security issues:

CVE-2025-12972 (Path Traversal) — Fluent Bit uses unsanitized tag values when generating filenames, allowing attackers to write or overwrite arbitrary files on disk. This creates opportunities for log forgery and remote code execution.

CVE-2025-12970 (Stack Buffer Overflow) — A buffer overflow exists in the Docker Metrics plugin (in_docker). Attackers can crash the agent or execute arbitrary code by creating containers with excessively long names.

CVE-2025-12978 (Tag Spoofing) — The tag matching logic contains a flaw that allows attackers to spoof trusted tags by guessing just one character of the Tag_Key. This enables log redirection, filter bypass, and injection of malicious entries disguised as legitimate logs.

CVE-2025-12977 (Input Validation) — Fluent Bit fails to properly validate tag input data from user-controlled fields. Attackers can inject newline characters, path traversal sequences, and control characters, corrupting logs in downstream systems.

CVE-2025-12969 (Missing Authentication) — The in_forward plugin lacks authentication for security.users when receiving logs from other Fluent Bit instances via the Forward protocol. Attackers can transmit arbitrary logs, inject false telemetry, and flood systems with fake events.

Attack Capabilities

The vulnerabilities give attackers comprehensive control over logging infrastructure. Per the researchers, an attacker can execute malicious code in cloud environments, determine which events get recorded in logs, and delete or overwrite entries to hide attack traces. Attackers can also inject plausible false events to mislead incident response teams, manipulate data, and disrupt cloud services.

A CERT/CC security bulletin confirms that most vulnerabilities can be exploited if the Fluent Bit instance is network-accessible. The bugs enable authentication bypass, remote code execution, and denial-of-service attacks.

Patches and Mitigations

All issues were addressed in versions 4.1.1 and 4.0.12, released in January 2025. Amazon Web Services, which participated in the vulnerability disclosure process, urged customers to update immediately.

Beyond applying patches, security professionals recommend several mitigations:

  • Avoid dynamic tags for routing
  • Strictly limit log write paths and destinations to prevent path traversal
  • Mount configuration files in read-only mode
  • Run Fluent Bit as an unprivileged user