Five newly discovered critical vulnerabilities in Fluent Bit, the open-source log processor embedded in billions of containers, are sending shockwaves through the cloud security community.
Oligo Security’s research uncovers attack chains that enable adversaries to bypass authentication, perform path traversal, hijack tags, and even achieve remote code execution all of which risk the very foundation of cloud infrastructure.
Fluent Bit is the stealthy backbone for collecting, processing, and forwarding logs. With over 15 billion deployments and more than 4 million pulls just last week, it runs everywhere: supporting AI research, banking platforms, automotive manufacturing, and underpinning giants like AWS, Google Cloud, and Microsoft Azure.
Its adoption is so broad that vulnerabilities within its core threaten not just isolated systems, but the broader stability of the cloud ecosystem.
Anatomy of the Vulnerabilities
The Oligo Security team’s findings outline five CVEs:
- CVE-2025-12972 (Path Traversal/File Overwrite): Attackers can inject path traversal strings (e.g., “../”) into unsanitized tags, letting them write or overwrite arbitrary files on disk. This isn’t just about log tampering it can lead to remote code execution on vulnerable deployments.
- CVE-2025-12970 (Stack Buffer Overflow): A flaw in the Docker input plugin allows attackers who can create containers with long names to overflow a stack buffer, potentially crashing or fully compromising Fluent Bit on the host machine.
- CVE-2025-12978 (Tag-Matching Spoofing): Due to faulty logic, attackers only need to guess the first character of a tag key to spoof trusted tags, reroute logs, inject malicious records, and bypass filtering and monitoring.
- CVE-2025-12977 (Tag Injection): User-controlled tag content bypasses sanitization, enabling attackers to inject dangerous characters such as traversal sequences and control characters corrupting downstream logs or enabling new attack vectors.
- CVE-2025-12969 (Authentication Bypass): Fluent Bit forwarders using only Security. Users for authentication silently turn off authentication altogether, leaving seemingly protected endpoints open to attackers sending logs or injecting false telemetry.
Some vulnerabilities, such as CVE-2025-12972, have lurked in cloud environments for over eight years, heightening the risk to organizations that depend on timely and accurate log data for detection and response.
Fluent Bit is a fast, lightweight telemetry agent that ships logs, metrics, traces and is commonly deployed as a Kubernetes DaemonSet or as a host agent via packages or containers.
Exploitation Scenarios and Impact
The practical consequences are alarming. Attackers exploiting these vulnerabilities could disrupt cloud services, tamper with and erase incriminating log entries, inject fake telemetry, or even seize full control of logging infrastructure.
Fluent Bit relies heavily on tags. Every record gets a tag, and that tag decides which filters and outputs will see it. If you route logs differently per service, per tenant, or per environment, you probably do it with tags.
For instance, by manipulating tags and exploiting path traversal, attackers could rewrite logs, conceal traces of compromise, or plant backdoors by executing malicious code through Fluent Bit.
These risks extend to a wide range of use cases:
- Banks and fintech firms: Transaction and login logs can be altered or exfiltrated, undermining fraud detection.
- Cloud and SaaS providers: Attackers may disrupt observability pipelines, falsify compliance data, or mislead incident response teams.
- Security products: Telemetry corruption can blind analysts to genuine threats or flood dashboards with noise.
Immediate mitigation steps include:
- Upgrade to Fluent Bit v4.1.1 or 4.0.12, where fixes for tag sanitization and authentication logic are in place.
- Avoid dynamic tag routing: Use static, predefined tags where possible.
- Restrict output file paths: Set explicit “Path” or “File” options in output configurations to prevent path traversal.
- Enforce read-only config mounts and follow least-privilege principles: run Fluent Bit as a non-root user and restrict file system access.
Security teams should audit their deployments for untrusted input sources, review tag-handling configurations, and monitor for signs of exploitation.
The discovery also highlights gaps in open-source vulnerability response. Despite disclosures through official channels, a major cloud provider’s involvement was needed to coordinate a rapid fix.
This episode underscores the need for stronger collaboration between cloud vendors, security researchers, and maintainers to protect critical software supply chains.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.