Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures.
The security defects “allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags,” Oligo Security said in a report shared with The Hacker News.
Successful exploitation of the flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure. The list of identified vulnerabilities is as follows –
- CVE-2025-12972 – A path traversal vulnerability stemming from the use of unsanitized tag values to generate output filenames, making it possible to write or overwrite arbitrary files on disk, enabling log tampering and remote code execution.
- CVE-2025-12970 – A stack buffer overflow vulnerability in the Docker Metrics input plugin (in_docker) that could allow attackers to trigger code execution or crash the agent by creating containers with excessively long names.
- CVE-2025-12978 – A vulnerability in the tag-matching logic lets attackers spoof trusted tags – which are assigned to every event ingested by Fluent Bit – by guessing only the first character of a Tag_Key, allowing an attacker to reroute logs, bypass filters, and inject malicious or misleading records under trusted tags.
- CVE-2025-12977 – An improper input validation of tags derived from user-controlled fields, allowing an attacker to inject newlines, traversal sequences, and control characters that can corrupt downstream logs.
- CVE-2025-12969 – A missing security.users authentication in the in_forward plugin that’s used to receive logs from other Fluent Bit instances using the Forward protocol, allowing attackers to send logs, inject false telemetry, and flood a security product’s logs with false events.
“The amount of control enabled by this class of vulnerabilities could allow an attacker to breach deeper into a cloud environment to execute malicious code through Fluent Bit, while dictating which events are recorded, erasing or rewriting incriminating entries to hide their tracks after an attack, injecting fake telemetry, and injecting plausible fake events to mislead responders,” researchers said.
The CERT Coordination Center (CERT/CC), in an independent advisory, said many of these vulnerabilities require an attacker to have network access to a Fluent Bit instance, adding they could be used for authentication bypass, remote code execution, service disruption, and tag manipulation.
Following responsible disclosure, the issues have been addressed in versions 4.1.1 and 4.0.12 released last month. Amazon Web Services (AWS), which also engaged in coordinated disclosure, has urged customers running Fluentbit to update to the latest version for optimal protection.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
