A series of “trivial-to-exploit” vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data.
The Oligo Security research team found the five vulnerabilities and – in coordination with the project’s maintainers – on Monday published details about the bugs that allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags.
Updating to the latest stable version, v4.1.1 / 4.0.12, fixes the flaws.
Fluent Bit, an open source project maintained by Chronosphere, is used by major cloud providers and tech giants, including Google, Amazon, Oracle, IBM, and Microsoft, to collect and route data.
It’s a lightweight telemetry data agent and processor for logs, metrics, and traces, and it has more than 15 billion deployments. At KubeCon earlier this month, OpenAI said it runs Fluent Bit on all of its Kubernetes nodes.
It’s been around for 14 years, and at least one of the newly disclosed bugs, a path-traversal flaw now tracked as CVE 2025-12972, has left cloud environments vulnerable for more than 8 years, according to Oligo Security researcher Uri Katz.
This, Katz told The Register, is because “the file-output behavior that makes path traversal possible has been a part of Fluent Bit since its early architecture. The other issues aren’t quite as old but are still long-standing.”
Most of these vulnerabilities are due to a new plugin being introduced, he added. “We can see based on code history, the tag-handling flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) goes back roughly 6 years.”
[…]
The five CVEs are:
CVE-2025-12977, a partial string comparison vulnerability in the tag_key configuration option. Affected inputs: HTTP, Splunk, Elasticsearch.
This type of flaw occurs when a program accepts a partial input string as a match for a complete string (like a password, username, or file path), and in this case, the vulnerability allows an attacker to control the value of tags – thus determining how and where the log data is processed – without knowing the tag_key value.
“An attacker with network access to a fluentbit http input server, Elasticsearch input data or Splunk input data, can send a json with a key from A-Z 0-9 essentially making sure one of the characters will match the key allowing them to control the tag value,” the Oligo researchers wrote. “An attacker could hijack routing, inject fake or malicious records under trusted tags, bypass filters or monitoring, and confuse downstream systems so logs end up in unexpected databases, dashboards, or alerting tools.”
CVE-2025-12978 is due to improper input validation on tag_key records. Affected inputs: HTTP, Splunk, Elasticsearch.
Fluent Bit’s tag_key option lets record fields bypass the normal sanitization process and define tags directly, which can lead to path traversal, injection, or unexpected file writes in downstream outputs.
CVE-2025-12972, a path traversal vulnerability in the File output plugin.
Vulnerable configurations:
- Any configuration where the Tag value can be controlled (directly or indirectly) and the file output lacks a defined File key.
- HTTP input with tag_key set and file output missing the File key.
- Splunk input with tag_key set and file output missing the File key.
- Elasticsearch input with tag_key set and file output missing the File key.
- Forward input combined with file output missing the File key.
Again, because Fluent Bit uses tags straight from incoming logs without sanitizing them, attackers can use path traversal characters “../” in the tag to change the file path and name. “Since attackers can also partially control the data written to the file, this can lead to RCE on many systems,” the researchers warn.
CVE-2025-12970, a stack buffer overflow bug in the in_docker plugin, used to collect Docker container metrics.
Fluent Bit copies a container’s name into a fixed 256-byte buffer without checking its length, and this means a long container name can overflow that stack buffer. An attacker who can control container names or create containers can use a long name to trigger a stack overflow and crash the agent or execute code. “In a worse scenario, the overflow could let an attacker run code as the agent, letting them steal secrets from the host, install a backdoor, or move laterally to other services,” according to the bug hunters.
CVE-2025-12969, an authentication bypass vulnerability in the in_forward plugin – this is a network input plugin that receives logs from other Fluent Bit or Fluentd instances.
The researchers found that if the security.users configuration option is specified, no authentication occurs. This could allow all manner of nefarious activity including spamming security alerts to hide actual malicious behavior, injecting false telemetry to hide attackers’ activity, overwriting or exfiltrating logs, or feeding misleading data into detection pipelines.
Worst-case scenario
“A hypothetical worst-case scenario would be an attacker chaining these flaws together,” Katz said. “For example: an attacker sends a crafted log message that abuses the tag_key vulnerabilities (CVE-2025-12977 / CVE-2025-12978) and then embeds path-traversal characters to trigger the file-write vulnerability (CVE-2025-12972). That lets the attacker overwrite files on the host and escalate to remote code execution.”
Additionally, because Fluent Bit is commonly deployed as a Kubernetes DaemonSet, “a single compromised log agent can cascade into full node and cluster takeover, with the attacker tampering with logs to hide their activity and establishing long-term persistence across all nodes,” he added.
[…]
