Overview
- CERT/CC and Oligo Security detailed five CVEs across Fluent Bit plugins that enable authentication bypass, stack buffer overflow, path traversal and tag manipulation.
- Tag handling bugs in the in_http, in_splunk and in_elasticsearch inputs allow forged tags, injection and log misrouting (CVE-2025-12977, CVE-2025-12978).
- The in_forward input may accept unauthenticated data under certain configurations (CVE-2025-12969), and a Docker input flaw can crash the agent or permit code execution via long container names (CVE-2025-12970).
- When the File option is unset, out_file can derive paths from unsanitized tags, enabling writes outside the intended directory (CVE-2025-12972).
- Fixes are available in Fluent Bit 4.1.0 and newer, with maintenance releases 4.1.1 and 4.0.12 issued earlier; operators are advised to update, avoid dynamic tags, lock down file outputs, run with least privilege, restrict exposed inputs and note AWS’s role in coordinated remediation.