Five new vulnerabilities have been discovered in Fluent Bit, a popular open-source telemetry agent. These flaws could be exploited to compromise and take over cloud infrastructures, raising significant security concerns.
Oligo Security researchers identified these issues, which could allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags. The implications for cloud services are substantial.
Successful exploitation means attackers could disrupt operations, tamper with sensitive data, and gain deeper access into cloud and Kubernetes environments. This poses a serious threat to data integrity and system control.
One critical vulnerability, CVE-2025-12972, is a path traversal flaw. It leverages unsanitized tag values to generate output filenames, potentially allowing attackers to write or overwrite arbitrary files, leading to log tampering and remote code execution.
Another significant issue, CVE-2025-12970, is a stack buffer overflow in the Docker Metrics input plugin. Attackers could trigger code execution or crash the agent by using excessively long container names.
Other vulnerabilities include flaws in tag-matching logic, allowing spoofing of trusted tags, and improper input validation leading to log corruption. There’s also a missing authentication in the in_forward plugin, which could enable attackers to inject false telemetry and flood logs.
The CERT Coordination Center (CERT/CC) has also issued an advisory, confirming that many of these vulnerabilities require network access to a Fluent Bit instance and can lead to authentication bypass, RCE, service disruption, and tag manipulation.
These issues have been addressed in Fluent Bit versions 4.1.1 and 4.0.12, released last month. Amazon Web Services (AWS), involved in the coordinated disclosure, urges customers using Fluent Bit to update immediately for enhanced protection.
Further recommended actions include avoiding dynamic tags for routing, locking down output paths, mounting configuration files as read-only, and running the service with non-root privileges. These steps can help mitigate potential risks.
These discoveries come over a year after another significant Fluent Bit flaw, CVE-2024-4323, dubbed “Linguistic Lumberjack,” which allowed for denial-of-service, information disclosure, or remote code execution.
The widespread use of Fluent Bit in enterprise environments means these vulnerabilities have the potential for serious impact on cloud service access, data integrity, and control over logging systems. For more details, see the report from Oligo Security and the CERT/CC advisory
The discovery of these Fluent Bit flaws underscores pervasive vulnerabilities within cloud infrastructure. As critical services increasingly migrate to cloud environments, even minor security gaps can have significant, far-reaching consequences.
Concerns over cloud security are not isolated. The Dutch cabinet is currently scrutinizing a proposed acquisition of Solvinity, a cloud company vital to services like DigiD, highlighting national security implications. Read more: Cabinet does not yet want to block takeover of cloud company Solvinity.