Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.

Severity	Critical
CVSS Score	9.1
CVEs	CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

These vulnerabilities are CVE-2025-12977  CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.

Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering. 

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
​Fluent Bit Tag_Key Input Validation Bypass	CVE-2025-12977	Fluent Bit	Critical	9.1	v4.0.12+ , v4.1.1+ , v4.2.0+
Fluent Bit Docker Input Stack Buffer Overflow	CVE-2025-12970	Fluent Bit	High	8.8	v4.0.12+ , v4.1.1+ , v4.2.0+
Fluent Bit Forward Input Authentication Bypass	CVE-2025-12969	Fluent Bit	Medium	6.5	v4.0.12+ , v4.1.1+ , v4.2.0+
Fluent Bit Tag Spoofing via Partial Tag_Key Match	CVE-2025-12978	Fluent Bit	Medium	5.4	v4.0.12+ , v4.1.1+ , v4.2.0+
Fluent Bit File Output Path Traversal	CVE-2025-12972	Fluent Bit	Medium	5.3	v4.0.12+ , v4.1.1+ , v4.2.0+

Technical Summary 

Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.

These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.

Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines. 

Source: Oligo.security 

CVE ID	Vulnerability Details	Impact
CVE-2025-12977	Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values.	Log corruption and output injection.
CVE-2025-12970	Stack buffer overflow on container name copy due to lack of length check.	Crash or RCE.
CVE-2025-12969	Authentication bypass disables user-based auth, allowing unauthenticated log injection.	Unauthorized log injection.
CVE-2025-12978	Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char.	Manipulation of log routing and filtering.
CVE-2025-12972	Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution.	Arbitrary file write and RCE.

Remediation: 

• Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12  or latest version. 

Here are some recommendations below  

• Avoid using dynamic or untrusted tags in configuration for routing or file naming. 

• Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal. 

• Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement. 

• Limit network access to Fluent Bit instances to trusted sources only. 

• Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions. 

• Monitor logs and telemetry for abnormal tag values or unexpected log routing changes. 

Conclusion: 
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.

This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.

Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise. 

References: 

• https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover  

• https://thehackernews.com/2025/11/new-fluent-bit-flaws-expose-cloud-to.html