{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/761751#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nFluent Bit is a logging and metrics processor and forwarder that is used in a variety of cloud and container networking environments. Several vulnerabilities in Fluent Bit have been discovered that could allow for authentication bypass, remote code execution (RCE) and denial of service (DoS) largely enabled by various Fluent Bit plugins and by how Fluent Bit processes tags. Many of these vulnerabilities require an attacker to have network access to a Fluent Bit instance. Fluent Bit has released version 4.2.0 to remediate the vulnerabilities.\r\n\r\n### Description\r\n\r\nFluent Bit is a logging and metrics processor and forwarder, intended for usage in various cloud and container environments. It is commonly used to forward traffic to a Security Information and Event Management (SIEM) service, such as Splunk, for further analysis. Fluent Bit uses a tagging system to process and manage traffic that it moves. Multiple vulnerabilities have been discovered within Fluent Bit, largely facilitated by various plugins that manipulate or support tags. \r\n\r\nEach individual vulnerability is listed below:\r\n\r\n**CVE-2025-12972**\r\nThe Fluent Bit *out_file* plugin does not properly sanitize tag values when deriving output file names. When the `File` option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.\r\n\r\n**CVE-2025-12970**\r\nThe `extract_name()` function in the Fluent Bit *in_docker* input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution.\r\n\r\n**CVE-2025-12969**\r\nThe Fluent Bit *in_forward* input plugin does not properly enforce the `security.users` authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs.\r\n\r\n**CVE-2025-12977**\r\nThe Fluent Bit *in_http*, *in_splunk*, and *in_elasticsearch* input plugins fail to sanitize `tag_key` inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply `tag_key` values containing special characters such as newlines or `../ `that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, thus impacting data integrity and log routing.\r\n\r\n**CVE-2025-12978**\r\nFluent Bit *in_http*, *in_splunk*, and *in_elasticsearch* input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.\r\n\r\n### Impact\r\nThe vulnerabilities could be used for authentication bypass, RCE, DoS, and tag manipulation leading to improper function of Fluent Bit.\r\n\r\n### Solution\r\nThe vulnerabilities are all fixed in Fluent Bit version 4.2.0. Users should download and install the latest version of Fluent Bit as soon as possible. The latest version of Fluent Bit is available at https://fluentbit.io/announcements/\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Uri Katz of Oligo Security. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/761751"},{"url":"https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/","summary":"https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/"},{"url":"https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover","summary":"https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover"}],"title":"Fluent Bit contains five vulnerabilities, including stack buffer overflow, auth bypass, and path traversal","tracking":{"current_release_date":"2026-01-05T16:55:15+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#761751","initial_release_date":"2025-11-18 00:00:00+00:00","revision_history":[{"date":"2026-01-05T16:55:15+00:00","number":"1.20260105165515.5","summary":"Released on 2026-01-05T16:55:15+00:00"}],"status":"final","version":"1.20260105165515.5"}},"vulnerabilities":[{"title":"The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length.","notes":[{"category":"summary","text":"The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution."}],"cve":"CVE-2025-12970","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]},{"title":"Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs.","notes":[{"category":"summary","text":"Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing."}],"cve":"CVE-2025-12977","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]},{"title":"FluentBits in_http plugin incorrectly checks the length of the byte string while decoding URI-style inputs, causing it to accept escapes, allowing an attacker to corrupt data and routing in a FluentBit system.","notes":[{"category":"summary","text":"FluentBits in_http plugin incorrectly checks the length of the byte string while decoding URI-style inputs, causing it to accept escapes, allowing an attacker to corrupt data and routing in a FluentBit system."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]},{"title":"Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching.","notes":[{"category":"summary","text":"Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation."}],"cve":"CVE-2025-12978","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]},{"title":"Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names.","notes":[{"category":"summary","text":"Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory."}],"cve":"CVE-2025-12972","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]},{"title":"Fluent Bit in_forward input plugin does not properly enforce the security.","notes":[{"category":"summary","text":"Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs."}],"cve":"CVE-2025-12969","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#761751"}]}],"product_tree":{"branches":[]}}