A series of “trivial-to-exploit” vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data.

The Oligo Security research team found the five vulnerabilities and – in coordination with the project’s maintainers – on Monday published details about the bugs that allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags. 

Updating to the latest stable version, v4.1.1 / 4.0.12, fixes the flaws.

Fluent Bit, an open source project maintained by Chronosphere, is used by major cloud providers and tech giants, including Google, Amazon, Oracle, IBM, and Microsoft, to collect and route data. 

It’s a lightweight telemetry data agent and processor for logs, metrics, and traces, and it has more than 15 billion deployments. At KubeCon earlier this month, OpenAI said it runs Fluent Bit on all of its Kubernetes nodes.

It’s been around for 14 years, and at least one of the newly disclosed bugs, a path-traversal flaw now tracked as CVE 2025-12972, has left cloud environments vulnerable for more than 8 years, according to Oligo Security researcher Uri Katz.

This, Katz told The Register, is because “the file-output behavior that makes path traversal possible has been a part of Fluent Bit since its early architecture. The other issues aren’t quite as old but are still long-standing.”

Most of these vulnerabilities are due to a new plugin being introduced, he added. “We can see based on code history, the tag-handling flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) goes back roughly 6 years.”

Fluent Bit is built around input plugins – these gather data from files, containers, HTTP endpoints, and other sources – and output plugins, which deliver that data to their destinations, such as cloud services or databases.

Each record passing through Fluent Bit carries a tag that acts as a routing label and determines which outputs it will be sent to. 

“There are multiple vulnerabilities here with different complexity levels,” Katz said. “Some can be triggered with only a basic understanding of Fluent Bit’s behavior and the specific vulnerability, while others, like the stack buffer overflow, demand more familiarity with memory corruption. Overall, the technical bar to exploit these is relatively low, and the issues should be considered trivial to exploit.”

Meet the 5 new CVEs

The five CVEs are:

CVE-2025-12977, a partial string comparison vulnerability in the tag_key configuration option. Affected inputs: HTTP, Splunk, Elasticsearch.

This type of flaw occurs when a program accepts a partial input string as a match for a complete string (like a password, username, or file path), and in this case, the vulnerability allows an attacker to control the value of tags – thus determining how and where the log data is processed – without knowing the tag_key value.

“An attacker with network access to a fluentbit http input server, Elasticsearch input data or Splunk input data, can send a json with a key from A-Z 0-9 essentially making sure one of the characters will match the key allowing them to control the tag value,” the Oligo researchers wrote. “An attacker could hijack routing, inject fake or malicious records under trusted tags, bypass filters or monitoring, and confuse downstream systems so logs end up in unexpected databases, dashboards, or alerting tools.” 

CVE-2025-12978 is due to improper input validation on tag_key records. Affected inputs: HTTP, Splunk, Elasticsearch.

Fluent Bit’s tag_key option lets record fields bypass the normal sanitization process and define tags directly, which can lead to path traversal, injection, or unexpected file writes in downstream outputs.

CVE-2025-12972, a path traversal vulnerability in the File output plugin.

Vulnerable configurations:

• Any configuration where the Tag value can be controlled (directly or indirectly) and the file output lacks a defined File key.
• HTTP input with tag_key set and file output missing the File key.
• Splunk input with tag_key set and file output missing the File key.
• Elasticsearch input with tag_key set and file output missing the File key.
• Forward input combined with file output missing the File key.

Again, because Fluent Bit uses tags straight from incoming logs without sanitizing them, attackers can use path traversal characters “../” in the tag to change the file path and name. “Since attackers can also partially control the data written to the file, this can lead to RCE on many systems,” the researchers warn.

CVE-2025-12970, a stack buffer overflow bug in the in_docker plugin, used to collect Docker container metrics.

Fluent Bit copies a container’s name into a fixed 256-byte buffer without checking its length, and this means a long container name can overflow that stack buffer. An attacker who can control container names or create containers can use a long name to trigger a stack overflow and crash the agent or execute code. “In a worse scenario, the overflow could let an attacker run code as the agent, letting them steal secrets from the host, install a backdoor, or move laterally to other services,” according to the bug hunters.

CVE-2025-12969, an authentication bypass vulnerability in the in_forward plugin – this is a network input plugin that receives logs from other Fluent Bit or Fluentd instances.

The researchers found that if the security.users configuration option is specified, no authentication occurs. This could allow all manner of nefarious activity including spamming security alerts to hide actual malicious behavior, injecting false telemetry to hide attackers’ activity, overwriting or exfiltrating logs, or feeding misleading data into detection pipelines.

Worst-case scenario

“A hypothetical worst-case scenario would be an attacker chaining these flaws together,” Katz said. “For example: an attacker sends a crafted log message that abuses the tag_key vulnerabilities (CVE-2025-12977 / CVE-2025-12978) and then embeds path-traversal characters to trigger the file-write vulnerability (CVE-2025-12972). That lets the attacker overwrite files on the host and escalate to remote code execution.”

Additionally, because Fluent Bit is commonly deployed as a Kubernetes DaemonSet, “a single compromised log agent can cascade into full node and cluster takeover, with the attacker tampering with logs to hide their activity and establishing long-term persistence across all nodes,” he added.

Along with updating to the most recent, fixed version of Fluent Bit, Katz also recommends users harden their container environments, such as using static tags and fixed paths, read-only configurations and restricted access for network-exposed plugins.

Oligo first disclosed these flaws to the Fluent Bit security team on September 25, and in the Monday report, the security researchers note that it took several attempts – and an assist from AWS – to get CVEs issued and the vulnerabilities fixed.

“We thank Oligo Security for bringing this to our attention, collaborating, and making a responsible disclosure,” an AWS spokesperson told The Register. “We’re always grateful to work with security researchers who constructively strengthen the security of the cloud.”

On October 5, Oligo reached out to AWS’ vulnerability disclosure program to request CVE issuance and support, and on October 9, fluentbit v4.1.1 was released.

“The takeaway is clear,” the report says. “The security reporting and CVE assignment process for critical open-source infrastructure is still fragmented and fragile, and collaboration between maintainers, cloud providers, and security researchers is essential to keep the global software supply chain secure.” ®