Fluentbit Fluent Bit vulnerabilities

5 known vulnerabilities affecting fluentbit/fluent_bit.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2025-12977CRITICALCVSS 9.1fixed in 4.0.122025-11-24
CVE-2025-12977 [CRITICAL] CWE-1287 CVE-2025-12977: Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. A Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outp
nvd
CVE-2025-12970HIGHCVSS 8.8fixed in 4.0.122025-11-24
CVE-2025-12970 [HIGH] CWE-120 CVE-2025-12970: The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed s The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution.
nvd
CVE-2025-12972MEDIUMCVSS 5.3fixed in 4.0.122025-11-24
CVE-2025-12972 [MEDIUM] CWE-22 CVE-2025-12972: Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. Wh Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output dir
nvd
CVE-2025-12969MEDIUMCVSS 6.5fixed in 4.0.132025-11-24
CVE-2025-12969 [MEDIUM] CWE-306 CVE-2025-12969: Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mecha Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log rec
nvd
CVE-2025-12978MEDIUMCVSS 5.4fixed in 4.0.122025-11-24
CVE-2025-12978 [MEDIUM] CVE-2025-12978: Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key vali Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to ma
nvd