Five vulnerabilities in the popular Fluent Bit open source tool could allow attackers to take over cloud services, Oligo Security warns.
The lightweight, highly scalable data agent supports the collection, processing, and forwarding of logs, metrics, and traces. It is widely used as a standard in observability pipelines across cloud environments and container orchestration platforms.
Fluent Bit is built around input plugins that gather data from various sources, and output plugins that deliver it to specified destinations. For identification purposes, each record carries a tag that also acts as a routing label.
Tracked as CVE-2025-12972 and described as a lack of sanitization of tag values that are used to generate filenames, the first of the newly disclosed bugs allows attackers to inject path traversal sequences.
This enables attackers to overwrite arbitrary files on disk, leading to log tampering and remote code execution (RCE), Oligo explains. Configurations where a defined ‘File’ key is missing from the file output are affected.
The second issue, CVE-2025-12970, a stack-based buffer overflow in the Docker input, allows attackers to create containers with extremely long names that exceed the allocated fixed 256-byte buffer, leading to crashes and code execution. Only setups with the Docker input are affected.
The third vulnerability, tracked as CVE-2025-12978, allows attackers to spoof trusted tags by guessing the first character of a tag key in HTTP, Elasticsearch, and Splunk inputs. This could lead to log rerouting, filter bypasses, and the injection of malicious or modified records.
The fourth bug, CVE-2025-12977, exists because tags derived from user-controlled fields bypass sanitization, allowing attackers to inject characters and sequences leading to log corruption or broader output-based attacks. It affects HTTP, Elasticsearch, and Splunk configurations.
Tracked as CVE-2025-12969, the fifth flaw exists because, when configured with Security.Users, Fluent Bit forwarders silently disable authentication. Remote attackers can exploit the issue to inject false telemetry, send logs, or flood detection systems.
Given Fluent Bit’s widespread presence across AWS, Google Cloud, Microsoft Azure, AI labs, financial services, and more, the newly identified security defects pose a critical risk to the cloud ecosystem, as they could allow attackers to cause disruptions and gain deep access to infrastructure, Oligo says.
“In practice, this means an attacker exploiting these vulnerabilities could not only disrupt cloud services and tamper with data, but also take over the logging service itself,” the security firm notes, warning that CVE-2025-12972 was introduced eight years ago.
The security defects affect Fluent Bit versions prior to 4.1.1 and 4.0.12. Updating to the most stable release resolves all vulnerabilities.
Oligo also notes that it reported the bugs to AWS, which immediately addressed them by migrating to Fluent Bit version 4.1.1.
Related: CISA Confirms Exploitation of Recent Oracle Identity Manager Vulnerability
Related: SquareX and Perplexity Quarrel Over Alleged Comet Browser Vulnerability
Related: Vulnerability Allowed Scraping of 3.5 Billion WhatsApp Accounts
