A new chain of five critical vulnerabilities discovered in Fluent Bit has exposed billions of containerized environments to remote compromise.
Fluent Bit, an open-source logging and telemetry agent deployed over 15 billion times globally, sits at the core of modern cloud infrastructure.
The tool collects, processes, and forwards logs across banking systems, cloud platforms like AWS and Microsoft Azure, and Kubernetes environments.
When failures occur at this scale, they do not just affect individual systems but ripple across the entire cloud ecosystem.
These newly disclosed flaws allow attackers to bypass authentication, perform unauthorized file operations, achieve remote code execution, and cause denial-of-service attacks through unsanitized tag manipulation.
The attack surface extends across multiple critical functionalities. Attackers exploiting these vulnerabilities could disrupt cloud services, tamper with data, and execute malicious code while hiding their tracks.
By controlling logging service behavior, adversaries gain the ability to inject fake telemetry, reroute logs to unauthorized destinations, and alter which events get recorded.
Some vulnerabilities have remained unpatched for over eight years, leaving cloud environments exposed to determined attackers. Security researchers at Oligo Security identified these flaws in collaboration with AWS through coordinated vulnerability disclosure.
The research demonstrates how weaknesses in foundational infrastructure components can enable sophisticated attack chains affecting millions of deployments worldwide.
Oligo Security analysts identified the vulnerabilities after conducting thorough security assessments of Fluent Bit’s input and output plugins.
The research team discovered that authentication mechanisms, input validation, and buffer handling contained critical security gaps.
Their findings prompted immediate coordination with AWS and the Fluent Bit maintainers, resulting in fixes released in version 4.1.1.
Technical Breakdown of Path Traversal and File Write Vulnerabilities
CVE-2025-12972 represents one of the most dangerous flaws in the chain. The File output plugin in Fluent Bit writes logs directly to the filesystem using two configuration parameters: Path and File.
Many common configurations use only the Path option and derive filenames from record tags. However, the plugin fails to sanitize these tags before constructing file paths. Attackers can inject path traversal sequences like “../” within tag values to escape the intended directory and write files anywhere on the system.
.webp "Critical FluentBit Vulnerabilities Let Attackers to Cloud Environments Remotely 3")
Since attackers maintain partial control over data written to these files through log content manipulation, they can create malicious configuration files, scripts, or executables in critical system locations.
When Fluent Bit runs with elevated privileges, this leads to remote code execution. The vulnerability becomes trivially exploitable when HTTP input is configured with Tag_Key settings and File output lacks an explicit File parameter.
Configurations using the forward input combined with file output are equally vulnerable, enabling unauthenticated attackers to inject malicious tags and write arbitrary files.
| CVE ID | Vulnerability Type | Affected Component | CVSS Severity | Impact |
|---|---|---|---|---|
| CVE-2025-12972 | Path Traversal File Write | out_file plugin | Critical | RCE, Log Tampering |
| CVE-2025-12970 | Stack Buffer Overflow | in_docker plugin | Critical | DoS, RCE |
| CVE-2025-12978 | Partial String Comparison | HTTP/Splunk/Elasticsearch inputs | Critical | Tag Spoofing |
| CVE-2025-12977 | Improper Input Validation | HTTP/Splunk/Elasticsearch inputs | Critical | Injection Attacks |
| CVE-2025-12969 | Missing Authentication | in_forward plugin | Critical | Unauthorized Access |
Immediate patching to version 4.1.1 or 4.0.12 is critical for all organizations running Fluent Bit. Organizations should prioritize updating production deployments and implement configuration changes to limit attack exposure.
Static, predefined tags eliminate untrusted input from influencing routing and file operations. Setting explicit Path and File parameters in output configurations prevents dynamic tag-based path construction.
Running Fluent Bit with non-root privileges and read-only mounted configuration files significantly reduces the impact of successful exploitation. AWS has already secured its internal systems and recommends all customers upgrade immediately.
The security community views these vulnerabilities as evidence of systemic challenges in open-source security reporting, where critical infrastructure components often rely on volunteer maintainers with limited resources to address coordinated security disclosures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
