https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover reports these newly disclosed vulnerabilities in Fluent Bit:
* CVE-2025-12972: Unsanitized tag values are used to generate output filenames, allowing attackers to inject path-traversal sequences like “../” to write or overwrite arbitrary files on disk, enabling log tampering and, in many configurations, full remote code execution. * CVE-2025-12970: A stack buffer overflow in the Docker input enables attackers to trigger crashes or execute code by creating containers with excessively long names, giving them control over the Fluent Bit agent on the host. * CVE-2025-12978: A flaw in Fluent Bit’s tag-matching logic lets attackers spoof trusted tags by guessing only the first character of a Tag_Key, enabling them to reroute logs, bypass filters, and inject malicious or misleading records. * CVE-2025-12977: Tags derived from user-controlled fields bypass sanitization, allowing attackers to inject newlines, traversal sequences, and control characters that corrupt downstream logs or enable broader output-based attacks. * CVE-2025-12969: Fluent Bit forwarders configured with Security.Users silently disable authentication, allowing remote attackers to send logs, inject false telemetry, or flood detection systems despite appearing secured.
https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ provides their analysis and information about fixes in versions 4.2, 4.1.1, and 4.0.14, which are available from https://github.com/fluent/fluent-bit . -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris
