CVE-2025-12977 — Improper Validation of Specified Type of Input in Fluent BIT

CWE-1287 — Improper Validation of Specified Type of Input4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 70.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fluentbit Fluent BIT Treasuredata Fluent BIT Msrc Azl3 Fluent-bit 3.1.10-2 ON Azure Linux 3.0 +2 more

Timeline

PublishedNov 24

Latest updateDec 1

Description

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

▶NVDtreasuredata/fluent_bit4.1.0

▶CVEListV5fluentbit/fluent_bit< 4.0.12

▶msrcmsrc/azl3_fluent-bit_3.1.9-6_on_azure_linux_3.0

▶msrcmsrc/cbl2_fluent-bit_3.0.6-4_on_cbl_mariner_2.0

▶msrcmsrc/azl3_fluent-bit_3.1.10-2_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-v498-rhc6-28g9: Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs↗2025-11-24

▶

📋Vendor Advisories

Microsoft

CVE-2025-12977: CVE-2025-12977 Mariner: Mariner certcc: certcc Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn↗2025-11-11

▶

🕵️Threat Intelligence

Wiz

Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz↗2025-12-01

▶